Markus OK - I was not sure whether the Kerberos libraries used openssl code. I have captured traffic for the following where a domain user is logged onto a w2k8 R2 server (named my-server.my.domain for this discussion) running the 32-bit version of IE8: 1. Between my-server.my.domain and the AD servers 2. Between my-server.my.domain and the squid 3.1.8 proxy server. I have also captured the traffic between the proxy server and the AD servers while executing the kinit command you requested. It's probably not a good idea to post the logs here. Is there anything you want me to look for? I have done some investigation and notice a couple of things which may or may not be relevant or important: 1. When my-server.my.domain issues the TGS-REQ it specifies the fowardable, renewable and canonicalize flags. For a similar setup except using Win XP, only the forwardable, renewable flags are set. 2. For the browser session on my-server.my.domain I notice there are repeated AS-REQ/TGS-REQ requests, even though as far as I can tell the requests are granted. There are also (probably expected) multiple KRB Error: KRB5KDC_ERR_PRE_PREAUTH_REQUIRED messages which look they match the AS-REQ/TGS-REQ requests. When I look in the security logs of the 2 AD domain controllers, I do not see any failed Kerberos events but I notice the requests from server my-server.my.domain have the Client-Address: value set to ::fff:192.168.x.y. I presume this is am IPv6 address? IPv6 is not selected on the nic of my-server.my.domain. For the Win XP server, there are 2 event log entries, one for Client-Address: ::fff:192.168.x.z and the next one for Client-Address is 192.168.x.z. I have not observed the multiple Kerberos on Win XP. Please let me know how I can further assist this investigation. Regards Paul > -----Original Message----- > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > Sent: Wednesday, 27 October 2010 9:15 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > As far as I know the Kerberos libraries do not use openssl code. Can > you > capture the traffic between your 2008 server and AD on port 88 and > between > the 2008 server and squid on 3128 (the squid port). Can you also > capture the > traffic between squid and AD when you try a kinit -kt squid.keytab > HTTP/my-proxy-server.my.domain@xxxxxxxxx > > Regards > Markus > > "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message > news:19672EECFB9AE340833C84F3E90B5956043780EF@xxxxxxxxxxxxxxxxxxxxxx > Hi Nick > Thanks for looking at this. I appreciate your help. > > My answers to your questions are in line below > > > -----Original Message----- > > From: Nick Cairncross [mailto:Nick.Cairncross@xxxxxxxxxxxxxxx] > > Sent: Tuesday, 26 October 2010 8:36 PM > > To: Paul Freeman; Squid Users > > Subject: Re: Authentication using squid_kerb_auth with > > Internet Explorer 8 on Windows Server 2008 R2 > > > > > > On 26/10/2010 03:56, "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote: > > > > > > >Hi. > > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and > have > > >enabled > > >Kerberos/NTLM authentication using the squid_kerb_auth helper. This > > >setup is > > >working well and successfully authenticates Windows domain users > when > > they > > >are logged in using their domain credentials on Windows XP > > workstations > > >using > > >Internet Explorer (v6,7 and 8) and Firefox. > > > > > >Squid is configured with two helpers, the first, squid_kerb_auth and > > the > > >second, the Samba ntlm helper. > > > > > >However, today I came across a problem when using Internet Explorer > 8 > > on a > > >server running Windows Server 2008 R2. The IE8 enhanced security > mode > > is > > >disabled and the logged in user is a standard domain user. The > > Windows > > >server is joined to the domain and is not a domain controller. The > > >Windows > > >server is up to date with Microsoft patches and updates. > > > > > >Authentication is failing for some reason. Instead of > authenticating > > >silently, the user is prompted for a username and password 6 times > > before > > >receiving the Cache Access Denied message. > > > > > >If I disable the squid_kerb_auth helper in squid.conf and restart > > squid, > > >leaving only the Samba NTLM helper, authentication works > successfully. > > > > > >In cache.log I find: > > >squid_kerb_auth: DEBUG: Got 'YR YII... > > >squid_kerb_auth: DEBUG: Decode 'YII... > > >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > > GSS > > >failure. Minor code may provide more information. > > >squid_kerb_auth: INFO: User not authenticated > > >authenticateNegotiateHandleReply: Error validating user via > Negotiate. > > >Error > > >returned 'BH gss_accept_sec_contect() failed: Unspecified GSS > failure. > > >Minor code may provide more information. ' > > > > > >Has anyone else found this with IE8 on Windows Server 2008 R2? Is > it > > due > > >to > > >the 64-bit version of IE8 or some unusual interaction between the > IE8 > > >version > > >shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > > > > >I have a Wireshark capture of the traffic between the browser > session > > on > > >Windows Server 2008 R2 and the proxy server during authentication > and > > >would > > >like to assist with investigating the problem further if someone can > > >provide > > >some advice as to where to look. > > > > > >Regards > > > > > >Paul > > > > > > Hi Paul, > > Just my thoughts (which are minor in relation to the power of other > > listers..!): Are you specifically running the 64-bit version of IE? > How > > does your DNS look? A/PTR records all in order? What does kerbtray > show? > > What encoding for kerberos are you using? What does klist -ekt > <keytab> > > show? Correct FQDN in your browser? > > Cheers > > Nick > > > I presumed IE8 was the 64-bit version but on further checking I have > found > it > is the 32-bit version. The 64-bit version is also installed and I have > tried > that with the same result. > > As far as I know (I set DNS up :-) ), DNS is configured correctly with > forward and reverse records. > > I checked the Kerberos tickets on a Windows XP workstation that > authenticates > correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server > using > IE8 (32-bit and 64-bit) and found tickets for the proxy server as > follows: > > Win XP Workstation: > Server: HTTP/my-proxy-server.my.domain@xxxxxxxxx > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) > End Time: 10/27/2010 17:37:35 > Renew Time: 11/3/2010 7:37:35 > > Win 2008 R2 server: > Client" my.login @ MY.DOMAIN > Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN > KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 > Ticket Flags 0x40a00000 -> forwardable renewable pre_authent > Start Time: 10/27/2010 7:30:13 (local) > End Time: 10/27/2010 17:17:38 (local) > Renew Time: 11/3/2010 7:17:38 (local) > Session Key Type: AES-256-CTS-HMAC-SHA1-96 > > The key difference is the ticket encryption type: RC4-HMAC for Win XP > vs > AES-256-HMAC-SHA1 for Win 2008 R2. > > On the proxy server, klist -ekt ticket_file shows: > KVNO Timestamp Principal > 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.domain@xxxxxxxxx > (ArcFour with HMAC/md5) > 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.domain@xxxxxxxxx > (AES-128 CTS mode with 96-bit SHA-1 HMAC) > 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.domain@xxxxxxxxx > (AES-256 CTS mode with 96-bit SHA-1 HMAC) > > I have just remembered that I recently came across a problem with AES- > 256 > encryption on Ubuntu 10.04LTS. I discovered this when I found I could > not > establish a https session to a Linux web server which was using a > certificate > I had issued from the Windows Certificate Service on Windows 2008 R2. > The > problem turned out to be the certificate was signed by the Root CA > using > AES-256. After some "Googling" I found OpenSSL on Ubuntu could not > manage > this encryption type. I changed the Root CA encryption type to sha1 > and > re-issued the linux web server certificate and all was well > > I suspect the Kerberos problem I am seeing when authenticating to squid > is > similar. Windows 2008 R2 is encrypting using AES-256 but > squid/kerberos > cannot decrypt this successfully. Does this sound feasible? > > Can I force Windows 2008 R2 to use a different encryption type or can I > get > OpenSSL (which I presume is used for the encryption/decryption in > Kerberos > on > Linux) to support AES-256? > > Can I debug this further to confirm this? > > Regards > > Paul > > > > > > > > > The information contained in this e-mail is of a confidential nature > > and is intended only for the addressee. If you are not the intended > > addressee, any disclosure, copying or distribution by you is > prohibited > > and may be unlawful. Disclosure to any party other than the > addressee, > > whether inadvertent or otherwise, is not intended to waive privilege > or > > confidentiality. Internet communications are not secure and > therefore > > Conde Nast does not accept legal responsibility for the contents of > > this message. Any views or opinions expressed are those of the > author. > > > > The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover > > Square, London W1S 1JU >
