Search squid archive

RE: Re: Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Markus
Don't worry about asking too many questions - I am happy to answer.
Generally questions will lead to some sort of answer or at least a greater
understanding of the problem.

I just sent a reply to Nick's email and in that I mention the difference
between encryption types for Kerberos tickets on Win XP and Win 2008 R2.  I
suspect this is the problem - in particular AES-256 encryption.

I have checked on the Windows 2008 R2 servers and cannot see the patch 951191
installed .  Reading up on the Microsoft site about this patch, it seems it
only applies to Windows 2008 (32-bit and 64-bit) rather than Windows 2008 R2.

Unfortunately, I don't have a Win 7 workstation to try.

Regards

Paul
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
> Sent: Wednesday, 27 October 2010 7:38 AM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject:  Re: Re: Authentication using squid_kerb_auth
> with Internet Explorer 8 on Windows Server 2008 R2
> 
> Hi Paul,
> 
>  Did you install http://support.microsoft.com/kb/951191 onto your 2008
> AD
> server (it did not work in my case without this patch) ?
> 
>  If it is not related to the above, do you know if your 2008 server
> tries to
> use AES encryption (check the exchange between your 2008 server and AD
> on
> port 88) ?
> 
>  Do you have any Windows 7 clients too ? Do they work ?
> 
>  Sorry for that many questions.
> 
> Regards
> Markus
> 
> 
> "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
> news:19672EECFB9AE340833C84F3E90B5956043780EE@xxxxxxxxxxxxxxxxxxxxxx
> Hi Markus
> My AD servers (I have 2) are both Windows 2008 R2.  AD is running at
> the
> 2003
> functional level.  The AD environment is the same one that is working
> OK
> with
> Squid and Kerberos authentication for Windows XP workstations running
> IE8.
> 
> Regards
> 
> Paul
> 
> 
> 
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
> > Sent: Wednesday, 27 October 2010 5:09 AM
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject:  Re: Authentication using squid_kerb_auth with
> > Internet Explorer 8 on Windows Server 2008 R2
> >
> > Hi Paul,
> >
> >   Is your AD server 2003 or 2008 ?
> >
> > Markus
> >
> > "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
> > news:19672EECFB9AE340833C84F3E90B5956042A4932@xxxxxxxxxxxxxxxxxxxxxx
> > Hi.
> > I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
> > enabled
> > Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
> > setup
> > is
> > working well and successfully authenticates Windows domain users when
> > they
> > are logged in using their domain credentials on Windows XP
> workstations
> > using
> > Internet Explorer (v6,7 and 8) and Firefox.
> >
> > Squid is configured with two helpers, the first, squid_kerb_auth and
> > the
> > second, the Samba ntlm helper.
> >
> > However, today I came across a problem when using Internet Explorer 8
> > on a
> > server running Windows Server 2008 R2.  The IE8 enhanced security
> mode
> > is
> > disabled and the logged in user is a standard domain user.  The
> Windows
> > server is joined to the domain and is not a domain controller.  The
> > Windows
> > server is up to date with Microsoft patches and updates.
> >
> > Authentication is failing for some reason.  Instead of authenticating
> > silently, the user is prompted for a username and password 6 times
> > before
> > receiving the Cache Access Denied message.
> >
> > If I disable the squid_kerb_auth helper in squid.conf and restart
> squid,
> > leaving only the Samba NTLM helper, authentication works successfully.
> >
> > In cache.log I find:
> > squid_kerb_auth: DEBUG: Got 'YR YII...
> > squid_kerb_auth: DEBUG: Decode 'YII...
> > squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> > GSS
> > failure.  Minor code may provide more information.
> > squid_kerb_auth: INFO: User not authenticated
> > authenticateNegotiateHandleReply: Error validating user via Negotiate.
> > Error
> > returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS
> failure.
> > Minor code may provide more information. '
> >
> > Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it
> > due to
> > the 64-bit version of IE8 or some unusual interaction between the IE8
> > version
> > shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
> >
> > I have a Wireshark capture of the traffic between the browser session
> > on
> > Windows Server 2008 R2 and the proxy server during authentication and
> > would
> > like to assist with investigating the problem further if someone can
> > provide
> > some advice as to where to look.
> >
> > Regards
> >
> > Paul
> >
> 
> 




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux