Markus Don't worry about asking too many questions - I am happy to answer. Generally questions will lead to some sort of answer or at least a greater understanding of the problem. I just sent a reply to Nick's email and in that I mention the difference between encryption types for Kerberos tickets on Win XP and Win 2008 R2. I suspect this is the problem - in particular AES-256 encryption. I have checked on the Windows 2008 R2 servers and cannot see the patch 951191 installed . Reading up on the Microsoft site about this patch, it seems it only applies to Windows 2008 (32-bit and 64-bit) rather than Windows 2008 R2. Unfortunately, I don't have a Win 7 workstation to try. Regards Paul > -----Original Message----- > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > Sent: Wednesday, 27 October 2010 7:38 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Re: Authentication using squid_kerb_auth > with Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > Did you install http://support.microsoft.com/kb/951191 onto your 2008 > AD > server (it did not work in my case without this patch) ? > > If it is not related to the above, do you know if your 2008 server > tries to > use AES encryption (check the exchange between your 2008 server and AD > on > port 88) ? > > Do you have any Windows 7 clients too ? Do they work ? > > Sorry for that many questions. > > Regards > Markus > > > "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message > news:19672EECFB9AE340833C84F3E90B5956043780EE@xxxxxxxxxxxxxxxxxxxxxx > Hi Markus > My AD servers (I have 2) are both Windows 2008 R2. AD is running at > the > 2003 > functional level. The AD environment is the same one that is working > OK > with > Squid and Kerberos authentication for Windows XP workstations running > IE8. > > Regards > > Paul > > > > > -----Original Message----- > > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > > Sent: Wednesday, 27 October 2010 5:09 AM > > To: squid-users@xxxxxxxxxxxxxxx > > Subject: Re: Authentication using squid_kerb_auth with > > Internet Explorer 8 on Windows Server 2008 R2 > > > > Hi Paul, > > > > Is your AD server 2003 or 2008 ? > > > > Markus > > > > "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message > > news:19672EECFB9AE340833C84F3E90B5956042A4932@xxxxxxxxxxxxxxxxxxxxxx > > Hi. > > I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have > > enabled > > Kerberos/NTLM authentication using the squid_kerb_auth helper. This > > setup > > is > > working well and successfully authenticates Windows domain users when > > they > > are logged in using their domain credentials on Windows XP > workstations > > using > > Internet Explorer (v6,7 and 8) and Firefox. > > > > Squid is configured with two helpers, the first, squid_kerb_auth and > > the > > second, the Samba ntlm helper. > > > > However, today I came across a problem when using Internet Explorer 8 > > on a > > server running Windows Server 2008 R2. The IE8 enhanced security > mode > > is > > disabled and the logged in user is a standard domain user. The > Windows > > server is joined to the domain and is not a domain controller. The > > Windows > > server is up to date with Microsoft patches and updates. > > > > Authentication is failing for some reason. Instead of authenticating > > silently, the user is prompted for a username and password 6 times > > before > > receiving the Cache Access Denied message. > > > > If I disable the squid_kerb_auth helper in squid.conf and restart > squid, > > leaving only the Samba NTLM helper, authentication works successfully. > > > > In cache.log I find: > > squid_kerb_auth: DEBUG: Got 'YR YII... > > squid_kerb_auth: DEBUG: Decode 'YII... > > squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > > GSS > > failure. Minor code may provide more information. > > squid_kerb_auth: INFO: User not authenticated > > authenticateNegotiateHandleReply: Error validating user via Negotiate. > > Error > > returned 'BH gss_accept_sec_contect() failed: Unspecified GSS > failure. > > Minor code may provide more information. ' > > > > Has anyone else found this with IE8 on Windows Server 2008 R2? Is it > > due to > > the 64-bit version of IE8 or some unusual interaction between the IE8 > > version > > shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > > > I have a Wireshark capture of the traffic between the browser session > > on > > Windows Server 2008 R2 and the proxy server during authentication and > > would > > like to assist with investigating the problem further if someone can > > provide > > some advice as to where to look. > > > > Regards > > > > Paul > > > >
