Re: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 12/01/2012 1:18 a.m., Muhammet Can wrote:
> Hi all,
>
> I have been trying to get squid running with kerberos auth for a few
> days but I'm in some trouble. The problem has been asked and replied
> many times on both the squid-users list and on the web, I have read
> them all, and tried to solve the problem. But still no luck.
>
> Here is some of my log files and tests.
> (config files are prepared with using wiki;
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)
>
> -->  tail -f cache.log
> 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
> (length: 59).
> 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
> length: 40).
> 2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'

As no doubt you have seen in those earlier posts type 1 is 
Negotiate/NTLM. The easiest solution is to use the negotiate_wrapper 
Marcus developed last year. That should get things working for the users 
while the details about why NTLM is being used get more of a look at.


> -->  tail -f access.log
> 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
> http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
> 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
> http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
>
> I have tested kerberos on the server side with;
>
> -->  klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@xxxxxxxxxxxxxx
>
> -->  kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab
> HTTP/test2008.labristest.com
> Authenticated to Kerberos v5
>
> And, on the client side, I have used kerbtray, it seems client has the tickets.
>
> I have captured the packets with wireshark as suggested some of the
> earlier messages, it looks like client still tries to authenticate
> with NTLM while we want to use kerberos.
>
> Here is the some of the parts of wireshark log;
> (if needed, you can get the full log from here: http://pastebin.com/btp9PzYu )
>
> client to server;
> Hypertext Transfer Protocol
>      GET http://www.google.com.tr/ HTTP/1.1\r\n
>          [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
> HTTP/1.1\r\n]
>          Request Method: GET
>          Request URI: http://www.google.com.tr/
>          Request Version: HTTP/1.1
>      Host: www.google.com.tr\r\n
>      User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
> Firefox/8.0\r\n
>      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
>      Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
>      Accept-Encoding: gzip, deflate\r\n
>      Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
>      Proxy-Connection: keep-alive\r\n
>
>
> server reply;
> Hypertext Transfer Protocol
>      HTTP/1.0 407 Proxy Authentication Required\r\n
>          [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy
> Authentication Required\r\n]
>          Request Version: HTTP/1.0
>          Status Code: 407
>          Response Phrase: Proxy Authentication Required
>      Server: squid/3.1.12\r\n
>      Mime-Version: 1.0\r\n
>      Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n
>      Content-Type: text/html\r\n
>      Content-Length: 1152\r\n
>      X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
>      Proxy-Authenticate: Negotiate\r\n
>      X-Cache: MISS from labris-1\r\n
>      X-Cache-Lookup: NONE from labris-1:3128\r\n
>      Via: 1.0 labris-1 (squid/3.1.12)\r\n
>      Connection: keep-alive\r\n
>      \r\n
>
>
> client tries authentication;
> Hypertext Transfer Protocol
>      GET http://www.google.com.tr/ HTTP/1.1\r\n
>          [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
> HTTP/1.1\r\n]
>          Request Method: GET
>          Request URI: http://www.google.com.tr/
>          Request Version: HTTP/1.1
>      Host: www.google.com.tr\r\n
>      User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
> Firefox/8.0\r\n
>      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
>      Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
>      Accept-Encoding: gzip, deflate\r\n
>      Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
>      Proxy-Connection: keep-alive\r\n
>      Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n
>          NTLM Secure Service Provider
>              NTLMSSP identifier: NTLMSSP
>              NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
>              Flags: 0xe2088297
>              Calling workstation domain: NULL
>              Calling workstation name: NULL

That might be important. If the browser is not aware for some reason 
that it has a Windows domain.

>              Version 6.1 (Build 7601); NTLM Current Revision 15
>                  Major Version: 6
>                  Minor Version: 1
>                  Build Number: 7601
>                  NTLM Current Revision: 15
>
>
> Please see me as a newbie,
> I'd really appreciate a detailed solution to get squid working with
> kerberos and what may cause the problem.

So far as this shows Squid is working well up to the point when the 
client sends it NTLM response credentials. Those are rejected due to not 
being Kerberos credentials.

Amos