It looks like you do not have an entry in AD. Can you search AD for entries
with serviceprincipalname = HTTP/proxyserver.orangegroup.com ?
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ@xxxxxxxxxxxxxxxxx
On 1 May 2011 00:00, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Go,
For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
Yes I used --enctypes 28
what does klist -e show and what does
kinit <user>
kvno HTTP/proxyserver.orangegroup.com
show (<user> being your userid ) ?
Here is the complete output
root@proxyserver:/home/owner# whoami
root
root@proxyserver:/home/owner# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@proxyserver:/home/owner# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@proxyserver:/home/owner# kinit Administrator
Password for Administrator@xxxxxxxxxxxxxxx:
root@proxyserver:/home/owner# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/ORANGEGROUP.COM@xxxxxxxxxxxxxxx
renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
HMAC/md5,ArcFour with HMAC/md5
root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx
root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for HTTP/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx
When you purge tickets (with kerbtray) , start wireshark with a filter on
port 88 and access a webpage via the proxy do you see any errors in
wireshark ? Can you send me the capture ?
I will email you the port 88 capture in a sec.
Thanks for your help.
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw@xxxxxxxxxxxxxxxxx
I tried with msktutil version 0.4 but same thing is happening.
I followed your guide, firstly with samba/winbind, I created the
keytab and configure negotiate parameters in squid.conf but when I
open browser pointing to squid3 as proxy server (with fqdn not IP) it
prompts for username/password. This system is Windows 7 64 Bit.
Then I tried msktutil. The command I used is same as I mentioned below.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
ad01.orangegroup.com --verbose
The output of the command gives me one error saying but creates the keytab
file
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
I have kerbtray installed on client system and I can see my domains
krtgt/domain.com listed. As a matter of fact I'm using sharepoint
server which uses the same method to authenticate and im able to login
to it without entering username/password. I tried with purging tickets
but no change.
Regards
On 30 April 2011 16:17, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Go,
Can you describe in detail what you did ( e.g. exact msktutil command).
BTW
I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
which you should try in the case you use an older version.
It looks to me that your client is not able to get the Kerberos ticket
from
AD why the client falls back to NTLM and the negotiate wrapper deals now
with these case.
To find out why the client does not get the ticket you can run wireshark
and look for traffic on port 88.
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ@xxxxxxxxxxxxxxxxx
When I run msktutil I get this line in the output.
krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
I did kinit before issuing msktutil and it ran successfully. I can see
tickets when I issue klist.
On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote:
Hi,
I'm trying to configure Kerberos Authentication for squid. I'm
running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
kerberos authentication guide on squid-cache and many other guides, I
always end up with these logs in my cache.log. My client browser keeps
prompting for username/password. Even a valid set of credentials are
not accepted.
2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
token
2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
token
2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
token
2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
I want to check and make sure my keytab entries are good. How do I do
that? My client System can list the tickets for client principal.
Please have a look at my krb5.conf & keytab file here
http://pastebin.com/vTBr3r5D
I'm using this command to create the keytab file.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
ad01.orangegroup.com --verbose
All the domains are resolving properly to IPs.
Thanks for your help.
