Amos, Do you know where the problem is? Should I move back to squid 2.7, will that help? If I configure my squid to use ntlm auth I get so many NTLM Type 3 token messages in cache.log. The same config works good on IE6. When I test this with firefox 3.6+ or IE8 it keeps prompting the username. On 30 April 2011 13:30, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 30/04/11 20:13, Go Wow wrote: >> >> When I run msktutil I get this line in the output. >> >> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >> >> I did kinit before issuing msktutil and it ran successfully. I can see >> tickets when I issue klist. >> > > Tickets, klist and keytabs do not matter in this case Kerberos is not > involved. > >> >> >> On 30 April 2011 10:43, Go Wow wrote: >>> >>> Hi, >>> >>> I'm trying to configure Kerberos Authentication for squid. I'm >>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>> kerberos authentication guide on squid-cache and many other guides, I >>> always end up with these logs in my cache.log. My client browser keeps >>> prompting for username/password. Even a valid set of credentials are >>> not accepted. >>> >>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM >>> token >>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>> token' > > "type 1 NTLM" aka NTLM authentication protocol. > > The Kerberos helpers for Squid only validate type 3 (Kerberos). > > Markus has developed a negotiate_wrapper helepr which can split the > Negotiate auth protocol into Negotiate/Kerberos and Negotiate/NTLM > validation. That may be of some help, though there are bugs in the Squid end > which prevent is working sometimes. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
