Hi Markus, I added allow_weak_crypto = yes to the krb.conf file. Now everything worked. Any suggestion on how to allow safer/stronger cryptos? Thanks Ming > -----Original Message----- > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > Sent: Saturday, July 30, 2011 7:51 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Re: Re: squid 3.1.14 kerberos single sign on > > Hi Ming, > > That looks correct. I have three suggestions: > > 1) Can you reset the AD account password for the squid user and re- > extract > the keytab ? > 2) Use another tool like msktutil (see > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos ) > 3) Clear the kerberos cache on the client with kerbtray. It might be > that > the client cached an old key. > > Additionally if you want to support Win 7 and Win 2008 you must use > RC4-HMAC encryption as DES has been declared as a weak encryption method > and > is not anymore supported in Win 7 / Win 2008. > > Regards > Markus > > > "Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message > news:09177155B3E82945AD8AF1F744B326458A7E5EA6@es05co... > Hi Markus, > > My keytab file is generated from the win 2003 DC using ktpass command. > > On Liunx where the squid is running: > > klist -ekt /usr/local/squid/etc/squid27.keytab > Keytab name: WRFILE:/usr/local/squid/etc/squid27.keytab > KVNO Timestamp Principal > ---- ----------------- ------------------------------------------------- > ------- > 9 12/31/69 19:00:00 > HTTP/squid.sit27.borderware.com@xxxxxxxxxxxxxxxxxxxx > (DES cbc mode with RSA-MD5) > [root@squid etc]# ^C > [root@squid etc]# echo $KRB5_KTNAME > /usr/local/squid/etc/squid27.keytab > > > On windows 2003 > C:\Documents and Settings\Administrator>ktpass -princ > HTTP/squid.sit27.borderwar > e.com@xxxxxxxxxxxxxxxxxxxx -mapuser squid -crypto DES-CBC-MD5 +DesOnly - > pass > xxxxxxxx > -ptype KRB5_NT_PRINCIPAL -out squid27.keytab > Targeting domain controller: 27dc.sit27.borderware.com > Using legacy password setting method > Successfully mapped HTTP/squid.sit27.borderware.com to squid. > Key created. > Output keytab to squid27.keytab: > Keytab version: 0x502 > keysize 79 HTTP/squid.sit27.borderware.com@xxxxxxxxxxxxxxxxxxxx ptype 1 > (KRB5_NT > _PRINCIPAL) vno 9 etype 0x3 (DES-CBC-MD5) keylength 8 > (0x10bf6eea2531436b) > Account squid has been set for DES-only encryption. > > C:\Documents and Settings\Administrator>setspn -L squid > Registered ServicePrincipalNames for > CN=Squid,CN=Users,DC=sit27,DC=borderware,DC > =com: > HTTP/squid.sit27.borderware.com > > > Best Regards, > Ming > > > > > -----Original Message----- > > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > > Sent: Thursday, July 28, 2011 3:09 PM > > To: squid-users@xxxxxxxxxxxxxxx > > Subject: Re: Re: squid 3.1.14 kerberos single sign on > > > > Hi Ming, > > > > This indicates that now your client got the ticket from AD, but it > > does > > not match the entry in your keytab. Did you set the environment > variable > > KRB5_KTNAME correctly ? Can you do a klist -ekt <squid.keytab> and > > compare > > the entries with the wireshark information of the encoded HTTP > Negotiate > > request ? > > > > Does the name, encryption type and , key version number (kvno) match > ? > > > > Markus > > > > "Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message > > news:09177155B3E82945AD8AF1F744B326458A7E58B8@es05co... > > Hi Markus, > > > > I tried the same test on a Windows 2003 domain with XP clients. I was > > able > > to get pass the SGT from DC to the XP. Now my problem is the following > > squid > > error: Any suggestion how to debug further? > > > > 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR > > > YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGC > > > NwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAA > > > AACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEk > > > MCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEE > > > ooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+a > > > kRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4 > > > haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgr > > > HNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB0 > > > 3v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OH > > > Yhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzB > > > K1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEc > > > PkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3Nf > > > qfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081 > > xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94U > > > > > WGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2c > > > GiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE > > > 6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQ > > > vx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gsa > > > mYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00g > > > k22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FD > > > YnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz > > > 6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT > > > 3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsds > > Rad56U' > > from squid (length: 1647). > > 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode > > > 'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAG > > > CNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACA > > > AAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqE > > > kMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgE > > > EooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+ > > > akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC > > > 4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwg > > > rHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB > > > 03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868O > > > HYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnz > > > BK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeE > > > cPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3N > > > fqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD08 > > 1xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94 > > > > > UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2 > > > cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYd > > > E6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQ > > > Qvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gs > > > amYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00 > > > gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4F > > > DYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhP > > > z6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FT > > > T3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsd > > sRad56U' > > (decoded length: 1233). > > 2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred() > failed: > > Unspecified GSS failure. Minor code may provide more information. Key > > table > > entry not found > > 2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error > validating > > user > > via Negotiate. Error returned 'BH gss_acquire_cred() failed: > Unspecified > > GSS > > failure. Minor code may provide more information. Key table entry not > > found' > > > > > > Thanks > > Ming > > > > > -----Original Message----- > > > From: Ming Fu [mailto:Ming.Fu@xxxxxxxxxxxxxx] > > > Sent: Wednesday, July 27, 2011 4:21 PM > > > To: Markus Moeller; squid-users@xxxxxxxxxxxxxxx > > > Subject: RE: Re: squid 3.1.14 kerberos single sign on > > > > > > Hi Markus, > > > > > > From the windows domain controller: > > > ======================================================= > > > Microsoft Windows [Version 6.0.6002] > > > Copyright (c) 2006 Microsoft Corporation. All rights reserved. > > > > > > C:\Users\Administrator>setspn -L squid > > > Registered ServicePrincipalNames for > > > CN=squid,CN=Users,DC=sit26,DC=borderware,DC > > > =com: > > > HTTP/squid.sit26.borderware.com > > > > > > C:\Users\Administrator> > > > ========================================================= > > > > > > From the wireshark: > > > ============================================================== > > > The Kerberos response error is > > > Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > > > Realm: SIT26.BORDERWARE.COM > > > Server Name (Service and Instance): HTTP/squid.sit26.borderware.com > > > Name-type: service and instance (2) > > > Name: HTTP > > > Name: squid.sit26.borderware.com > > > =============================================================== > > > > > > I can attach the whole tcpdump if necessary. > > > > > > Regards, > > > Ming > > > > > > > > > > > > > -----Original Message----- > > > > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > > > > Sent: Monday, July 25, 2011 4:27 PM > > > > To: squid-users@xxxxxxxxxxxxxxx > > > > Subject: Re: squid 3.1.14 kerberos single sign on > > > > > > > > This looks like the client does not get a Kerberos token, which > can > > > have > > > > several reasons. > > > > > > > > 1) Is the proxy name used in the browser the fqdn used in the > > > > serviceprincipaname in AD e.g. HTTP/<fqdn> ? > > > > 2) Is the right encryption type used (Win7 / 2008 do not support > > DES > > > > out > > > > of the box) > > > > > > > > Can you capture with wireshark the communication between your > Win7 > > > > client > > > > and AD on port 88 ( Kerberos port ) and send me the capture file > ? > > > > > > > > Regards > > > > Markus > > > > > > > > > > > > "Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message > > > > news:09177155B3E82945AD8AF1F744B326458A7E1581@es05co... > > > > Hi, > > > > > > > > I am trying to setup squid 3.1.14 on linux with Kerberos SSO > against > > > > windows > > > > 2008 server and win7 client. > > > > But both firefox 5.0.1 and IE 8 generate same log from squid. > > > > > > > > Is this a problem with squid or the browsers? > > > > > > > > ---- squid logs ---- > > > > 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD > > 31. > > > > 2011/07/25 10:54:29| HTCP Disabled. > > > > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 > > > > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 > > > > 2011/07/25 10:54:29| Loaded Icons. > > > > 2011/07/25 10:54:29| Ready to serve requests. > > > > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR > > > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from > squid > > > > (length: 59). > > > > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode > > > > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' > (decoded > > > > length: > > > > 40). > > > > 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 > NTLM > > > > token > > > > 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error > > > validating > > > > user > > > > via Negotiate. Error returned 'BH received type 1 NTLM token' > > > > > > > > > > > > --- HTTP exchange Firefox to squid ----- > > > > GET http://www.google.ca/ HTTP/1.1 > > > > Host: www.google.ca > > > > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 > > > > Firefox/5.0.1 > > > > Accept: > > > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > > > Accept-Language: en-us,en;q=0.5 > > > > Accept-Encoding: gzip, deflate > > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > > > Proxy-Connection: keep-alive > > > > Referer: http://www.google.ca/ > > > > Cookie: > > > > > > > > > > PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135 > > > > 0546:S=CwtXJNRFT1U2j2O8; > > > > > > > > > > NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP > > > > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 > > > > > > > > HTTP/1.0 407 Proxy Authentication Required > > > > Server: squid/3.1.14 > > > > Mime-Version: 1.0 > > > > Date: Mon, 25 Jul 2011 15:38:05 GMT > > > > Content-Type: text/html > > > > Content-Length: 3945 > > > > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > > > > Vary: Accept-Language > > > > Content-Language: en-us > > > > Proxy-Authenticate: Negotiate > > > > X-Cache: MISS from squid.sit26.borderware.com > > > > Via: 1.0 squid.sit26.borderware.com (squid/3.1.14) > > > > Connection: keep-alive > > > > > > > > GET http://www.google.ca/ HTTP/1.1 > > > > Host: www.google.ca > > > > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 > > > > Firefox/5.0.1 > > > > Accept: > > > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > > > Accept-Language: en-us,en;q=0.5 > > > > Accept-Encoding: gzip, deflate > > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > > > Proxy-Connection: keep-alive > > > > Referer: http://www.google.ca/ > > > > Cookie: > > > > > > > > > > PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135 > > > > 0546:S=CwtXJNRFT1U2j2O8; > > > > > > > > > > NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP > > > > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 > > > > Proxy-Authorization: Negotiate > > > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== > > > > > > > > > > > > Regards, > > > > Ming > > > > > > > > > >
