Hi Paul,
Did you install http://support.microsoft.com/kb/951191 onto your 2008 AD
server (it did not work in my case without this patch) ?
If it is not related to the above, do you know if your 2008 server tries to
use AES encryption (check the exchange between your 2008 server and AD on
port 88) ?
Do you have any Windows 7 clients too ? Do they work ?
Sorry for that many questions.
Regards
Markus
"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
news:19672EECFB9AE340833C84F3E90B5956043780EE@xxxxxxxxxxxxxxxxxxxxxx
Hi Markus
My AD servers (I have 2) are both Windows 2008 R2. AD is running at the
2003
functional level. The AD environment is the same one that is working OK
with
Squid and Kerberos authentication for Windows XP workstations running IE8.
Regards
Paul
-----Original Message-----
From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
Sent: Wednesday, 27 October 2010 5:09 AM
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Authentication using squid_kerb_auth with
Internet Explorer 8 on Windows Server 2008 R2
Hi Paul,
Is your AD server 2003 or 2008 ?
Markus
"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
news:19672EECFB9AE340833C84F3E90B5956042A4932@xxxxxxxxxxxxxxxxxxxxxx
Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
enabled
Kerberos/NTLM authentication using the squid_kerb_auth helper. This
setup
is
working well and successfully authenticates Windows domain users when
they
are logged in using their domain credentials on Windows XP workstations
using
Internet Explorer (v6,7 and 8) and Firefox.
Squid is configured with two helpers, the first, squid_kerb_auth and
the
second, the Samba ntlm helper.
However, today I came across a problem when using Internet Explorer 8
on a
server running Windows Server 2008 R2. The IE8 enhanced security mode
is
disabled and the logged in user is a standard domain user. The Windows
server is joined to the domain and is not a domain controller. The
Windows
server is up to date with Microsoft patches and updates.
Authentication is failing for some reason. Instead of authenticating
silently, the user is prompted for a username and password 6 times
before
receiving the Cache Access Denied message.
If I disable the squid_kerb_auth helper in squid.conf and restart squid,
leaving only the Samba NTLM helper, authentication works successfully.
In cache.log I find:
squid_kerb_auth: DEBUG: Got 'YR YII...
squid_kerb_auth: DEBUG: Decode 'YII...
squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
GSS
failure. Minor code may provide more information.
squid_kerb_auth: INFO: User not authenticated
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error
returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure.
Minor code may provide more information. '
Has anyone else found this with IE8 on Windows Server 2008 R2? Is it
due to
the 64-bit version of IE8 or some unusual interaction between the IE8
version
shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
I have a Wireshark capture of the traffic between the browser session
on
Windows Server 2008 R2 and the proxy server during authentication and
would
like to assist with investigating the problem further if someone can
provide
some advice as to where to look.
Regards
Paul
