RE: Re: squid 3.1.14 kerberos single sign on

[Ming Fu <Ming.Fu@xxxxxxxxxxxxxx>]

Hi Markus,

>From the windows domain controller:
=======================================================
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>setspn -L squid
Registered ServicePrincipalNames for CN=squid,CN=Users,DC=sit26,DC=borderware,DC
=com:
        HTTP/squid.sit26.borderware.com

C:\Users\Administrator>
=========================================================

>From the wireshark:
==============================================================
The Kerberos response error is 
Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: SIT26.BORDERWARE.COM
Server Name (Service and Instance): HTTP/squid.sit26.borderware.com
   Name-type: service and instance (2)
   Name: HTTP
   Name: squid.sit26.borderware.com
===============================================================

I can attach the whole tcpdump if necessary.

Regards,
Ming



> -----Original Message-----
> From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
> Sent: Monday, July 25, 2011 4:27 PM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject:  Re: squid 3.1.14 kerberos single sign on
> 
> This looks like the client does not get a Kerberos token, which can have
> several reasons.
> 
>   1) Is the proxy name used in the browser the fqdn used in the
> serviceprincipaname in AD e.g. HTTP/<fqdn> ?
>   2) Is the right encryption type used (Win7 / 2008 do not support DES
> out
> of the box)
> 
>  Can you capture with wireshark the communication between your Win7
> client
> and AD on port 88 ( Kerberos port )  and send me the capture file ?
> 
> Regards
> Markus
> 
> 
> "Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message
> news:09177155B3E82945AD8AF1F744B326458A7E1581@es05co...
> Hi,
> 
> I am trying to setup squid 3.1.14 on linux with Kerberos SSO against
> windows
> 2008 server and win7 client.
> But both firefox 5.0.1 and IE 8 generate same log from squid.
> 
> Is this a problem with squid or the browsers?
> 
> ---- squid logs ----
> 2011/07/25 10:54:29| Accepting  HTTP connections at [::]:3128, FD 31.
> 2011/07/25 10:54:29| HTCP Disabled.
> 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> 2011/07/25 10:54:29| Loaded Icons.
> 2011/07/25 10:54:29| Ready to serve requests.
> 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> (length: 59).
> 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> length:
> 40).
> 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM
> token
> 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error validating
> user
> via Negotiate. Error returned 'BH received type 1 NTLM token'
> 
> 
> --- HTTP exchange Firefox to squid -----
> GET http://www.google.ca/ HTTP/1.1
> Host: www.google.ca
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> Firefox/5.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://www.google.ca/
> Cookie:
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> 0546:S=CwtXJNRFT1U2j2O8;
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> 
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.14
> Mime-Version: 1.0
> Date: Mon, 25 Jul 2011 15:38:05 GMT
> Content-Type: text/html
> Content-Length: 3945
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en-us
> Proxy-Authenticate: Negotiate
> X-Cache: MISS from squid.sit26.borderware.com
> Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
> Connection: keep-alive
> 
> GET http://www.google.ca/ HTTP/1.1
> Host: www.google.ca
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> Firefox/5.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://www.google.ca/
> Cookie:
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> 0546:S=CwtXJNRFT1U2j2O8;
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> 
> 
> Regards,
> Ming
>