Hi Markus, I tried the same test on a Windows 2003 domain with XP clients. I was able to get pass the SGT from DC to the XP. Now my problem is the following squid error: Any suggestion how to debug further? 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U' from squid (length: 1647). 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode 'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U' (decoded length: 1233). 2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found 2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found' Thanks Ming > -----Original Message----- > From: Ming Fu [mailto:Ming.Fu@xxxxxxxxxxxxxx] > Sent: Wednesday, July 27, 2011 4:21 PM > To: Markus Moeller; squid-users@xxxxxxxxxxxxxxx > Subject: RE: Re: squid 3.1.14 kerberos single sign on > > Hi Markus, > > From the windows domain controller: > ======================================================= > Microsoft Windows [Version 6.0.6002] > Copyright (c) 2006 Microsoft Corporation. All rights reserved. > > C:\Users\Administrator>setspn -L squid > Registered ServicePrincipalNames for > CN=squid,CN=Users,DC=sit26,DC=borderware,DC > =com: > HTTP/squid.sit26.borderware.com > > C:\Users\Administrator> > ========================================================= > > From the wireshark: > ============================================================== > The Kerberos response error is > Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > Realm: SIT26.BORDERWARE.COM > Server Name (Service and Instance): HTTP/squid.sit26.borderware.com > Name-type: service and instance (2) > Name: HTTP > Name: squid.sit26.borderware.com > =============================================================== > > I can attach the whole tcpdump if necessary. > > Regards, > Ming > > > > > -----Original Message----- > > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > > Sent: Monday, July 25, 2011 4:27 PM > > To: squid-users@xxxxxxxxxxxxxxx > > Subject: Re: squid 3.1.14 kerberos single sign on > > > > This looks like the client does not get a Kerberos token, which can > have > > several reasons. > > > > 1) Is the proxy name used in the browser the fqdn used in the > > serviceprincipaname in AD e.g. HTTP/<fqdn> ? > > 2) Is the right encryption type used (Win7 / 2008 do not support DES > > out > > of the box) > > > > Can you capture with wireshark the communication between your Win7 > > client > > and AD on port 88 ( Kerberos port ) and send me the capture file ? > > > > Regards > > Markus > > > > > > "Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message > > news:09177155B3E82945AD8AF1F744B326458A7E1581@es05co... > > Hi, > > > > I am trying to setup squid 3.1.14 on linux with Kerberos SSO against > > windows > > 2008 server and win7 client. > > But both firefox 5.0.1 and IE 8 generate same log from squid. > > > > Is this a problem with squid or the browsers? > > > > ---- squid logs ---- > > 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31. > > 2011/07/25 10:54:29| HTCP Disabled. > > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 > > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 > > 2011/07/25 10:54:29| Loaded Icons. > > 2011/07/25 10:54:29| Ready to serve requests. > > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid > > (length: 59). > > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode > > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded > > length: > > 40). > > 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM > > token > > 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error > validating > > user > > via Negotiate. Error returned 'BH received type 1 NTLM token' > > > > > > --- HTTP exchange Firefox to squid ----- > > GET http://www.google.ca/ HTTP/1.1 > > Host: www.google.ca > > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 > > Firefox/5.0.1 > > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > Accept-Language: en-us,en;q=0.5 > > Accept-Encoding: gzip, deflate > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Proxy-Connection: keep-alive > > Referer: http://www.google.ca/ > > Cookie: > > > PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135 > > 0546:S=CwtXJNRFT1U2j2O8; > > > NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP > > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 > > > > HTTP/1.0 407 Proxy Authentication Required > > Server: squid/3.1.14 > > Mime-Version: 1.0 > > Date: Mon, 25 Jul 2011 15:38:05 GMT > > Content-Type: text/html > > Content-Length: 3945 > > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > > Vary: Accept-Language > > Content-Language: en-us > > Proxy-Authenticate: Negotiate > > X-Cache: MISS from squid.sit26.borderware.com > > Via: 1.0 squid.sit26.borderware.com (squid/3.1.14) > > Connection: keep-alive > > > > GET http://www.google.ca/ HTTP/1.1 > > Host: www.google.ca > > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 > > Firefox/5.0.1 > > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > Accept-Language: en-us,en;q=0.5 > > Accept-Encoding: gzip, deflate > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Proxy-Connection: keep-alive > > Referer: http://www.google.ca/ > > Cookie: > > > PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135 > > 0546:S=CwtXJNRFT1U2j2O8; > > > NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP > > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 > > Proxy-Authorization: Negotiate > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== > > > > > > Regards, > > Ming > >
