I will try to get a 2008 R2 box, but it will take some time as I have only a
32bit system and R2 is 64bit.
Markus
"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
news:19672EECFB9AE340833C84F3E90B5956042A4932@xxxxxxxxxxxxxxxxxxxxxx
Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
enabled
Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup
is
working well and successfully authenticates Windows domain users when they
are logged in using their domain credentials on Windows XP workstations
using
Internet Explorer (v6,7 and 8) and Firefox.
Squid is configured with two helpers, the first, squid_kerb_auth and the
second, the Samba ntlm helper.
However, today I came across a problem when using Internet Explorer 8 on a
server running Windows Server 2008 R2. The IE8 enhanced security mode is
disabled and the logged in user is a standard domain user. The Windows
server is joined to the domain and is not a domain controller. The Windows
server is up to date with Microsoft patches and updates.
Authentication is failing for some reason. Instead of authenticating
silently, the user is prompted for a username and password 6 times before
receiving the Cache Access Denied message.
If I disable the squid_kerb_auth helper in squid.conf and restart squid,
leaving only the Samba NTLM helper, authentication works successfully.
In cache.log I find:
squid_kerb_auth: DEBUG: Got 'YR YII...
squid_kerb_auth: DEBUG: Decode 'YII...
squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information.
squid_kerb_auth: INFO: User not authenticated
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error
returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure.
Minor code may provide more information. '
Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to
the 64-bit version of IE8 or some unusual interaction between the IE8
version
shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
I have a Wireshark capture of the traffic between the browser session on
Windows Server 2008 R2 and the proxy server during authentication and would
like to assist with investigating the problem further if someone can provide
some advice as to where to look.
Regards
Paul