Search squid archive

RE: Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Markus
After further investigation using gdb I have been able to determine the
problem is caused by a particular combination of encryption and checksum
types which seems to only occur (at this stage) in Windows 2008 R2 and
possibly Windows 7 although I have not confirmed this.

In my Windows 2008 R2 environment (including Active Directory, running in
Windows 2003 mode rather than Windows 2008), the keytab which I created for
squid using msktutil (with enctypes = 28) gave me keys encrypted with ArcFour
with HMAC/md5, AES-128 CTS mode with 96-bit SHA-1 HMAC and AES-256 CTS mode
with 96-bit SHA-1 HMAC.

The problem lies with the Kerberos libraries installed with Ubuntu 10.04 LTS
(1.8.1+dfsg-2ubuntu0.3).  They return an error when working with AES-256 and
the checksum encryption type ArcFour with HMAC/md5.  This has been reported
on the MIT Kerberos developers list
(http://mailmain.mit.edu/pipermail/krbdev/2010-July/009148.html) and assigned
ticket 6751.  This has been resolved and included in the MIT Kerberos 1.8.3
release.  However, it does not appear to have been backported to Ubuntu 10.04
LTS yet.

I compiled the MIT Kerberos 1.8.3 source and re-built squid_kerb_auth against
these libraries and the problem no longer occurs ie. A domain user logged
into a Windows 2008 R2 server can authenticate using Kerberos in IE8.
Kerberos authentication continues to work with IE8 and Firefox in Windows XP
for domain users.

I greatly appreciate the assistance of Markus Moeller in resolving this.
Without his guidance and suggestions it would have taken me a lot longer to
nail down the problem.

Hopefully this information will be of some use to others.

Regards

Paul

> -----Original Message-----
> From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
> Sent: Sunday, 31 October 2010 6:45 AM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject:  Re: Authentication using squid_kerb_auth with
> Internet Explorer 8 on Windows Server 2008 R2
> 
> My tests show the same.  RC4 works but AES 128/256 fail.  It seems to
> be
> some incompatibility between MS and MIT/Heimdal Kerberos libraries
> introduces in R2
> 
> Markus
> 
> "DmitrySh" <sbros_v@xxxxxxxx> wrote in message
> news:1288361044027-3019158.post@xxxxxxxxxxxxxxxx
> >
> > I solve the problem on Win7 (temporary)
> > I set RC4-HMAC type for kerberos transactions in Local Security
> Policy
> > http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx
> > Now both keys on client machine are in RC4-HMAC type (krbtgt and
> > HTTP/fqdn_of_proxy)
> > That's help in my case.
> > Sounds not so good if this be AES256, but i think it's before of
> mixed
> > mode
> > of AD (2003 and 2008).
> > Try to communicate with microsoft about this.
> > P.S. Sorry for my english :)
> >
> > Regards,
> > Dmitry
> > --
> > View this message in context:
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-
> using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-
> R2-tp3013070p3019158.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> >
> 
> 
> 
> 
> __________ Information from ESET Smart Security, version of virus
> signature database 5586 (20101102) __________
> 
> The message was checked by ESET Smart Security.
> 
> http://www.eset.com
> 
 

__________ Information from ESET Smart Security, version of virus signature
database 5589 (20101103) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux