Also it might have been related to recent Microsoft Updates. The following article summarizes our issues with Kerberos (note we use a special user in AD with keytab, not joining of proxy into the domain). https://docs.diladele.com/faq/squid/authentication/event_14_kerberos_key_distribution_center.html Best regards, rafael -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Klaus Brandl Sent: Friday, November 18, 2022 3:23 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Kerberos - Cannot decrypt ticket for HTTP which options do you have configured for the auth helper? Something like: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i Best regards Klaus Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил: > Hi David, > > Thanks for your advice but it doesn't help me. I use AD account which > haven't set these parameters. > > Misha. > > 17.11.2022, 10:07, "David Touzeau" <david@xxxxxxxxxxxxxx>: > > Hi > > > > perhaps this one > > https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-can > > not-decrypt-ticket > > > > > > Le 16/11/2022 à 05:11, Михаил a écrit : > > > Hi everybody, > > > > > > Could you help me to setup my new squid server? I have a problem > > > with keytab authorization. > > > > > > 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating > > > user. Result: {result=BH, notes={message: > > > gss_accept_sec_context() failed: Unspecified GSS failure. Minor > > > code may provide more information. Cannot decrypt ticket for > > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for > > > HTTP/uisproxy-rop.***.***.corp@***.**.CORP; }} Got NTLMSSP > > > neg_flags=0xe2088297 > > > 2022/11/16 11:35:40| ERROR: Negotiate Authentication validating > > > user. Result: {result=BH, notes={message: > > > gss_accept_sec_context() failed: Unspecified GSS failure. Minor > > > code may provide more information. Cannot decrypt ticket for > > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for > > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP; }} > > > > > > # kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab > > > HTTP/uisproxy-rop.***.***.corp > > > Using default cache: /tmp/krb5cc_0 Using principal: > > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP > > > Using keytab: /etc/squid/keytab/uisproxy-rop-t.keytab > > > Authenticated to Kerberos v5 > > > > > > # klist -ke /etc/squid/keytab/uisproxy-rop-t.keytab > > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab > > > KVNO Principal > > > ---- ------------------------------------------------------------ > > > -------------- > > > 3 uisproxy-rop-t$@***.***.CORP (arcfour-hmac) > > > 3 uisproxy-rop-t$@***.***.CORP (aes128-cts-hmac-sha1-96) > > > 3 uisproxy-rop-t$@***.***.CORP (aes256-cts-hmac-sha1-96) > > > 3 UISPROXY-ROP-T$@***.***.CORP (arcfour-hmac) > > > 3 UISPROXY-ROP-T$@***.***.CORP (aes128-cts-hmac-sha1-96) > > > 3 UISPROXY-ROP-T$@***.***.CORP (aes256-cts-hmac-sha1-96) > > > 3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (arcfour-hmac) > > > 3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes128-cts- > > > hmac-sha1-96) > > > 3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes256-cts- > > > hmac-sha1-96) > > > 3 host/uisproxy-rop@***.***.CORP (arcfour-hmac) > > > 3 host/uisproxy-rop@***.***.CORP (aes128-cts-hmac-sha1-96) > > > 3 host/uisproxy-rop@***.***.CORP (aes256-cts-hmac-sha1-96) > > > > > > # klist -kt > > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab > > > KVNO Timestamp Principal > > > ---- ------------------- ---------------------------------------- > > > -------------- > > > 3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP > > > 3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP > > > 3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP > > > 3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP > > > 3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP > > > 3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP > > > 3 11/16/2022 11:30:50 HTTP/uisproxy- > > > rop.***.***.corp@***.***.CORP > > > 3 11/16/2022 11:30:50 HTTP/uisproxy- > > > rop.***.***.corp@***.***.CORP > > > 3 11/16/2022 11:30:50 HTTP/uisproxy- > > > rop.***.***.corp@***.***.CORP > > > 3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP > > > 3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP > > > 3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > http://lists.squid-cache.org/listinfo/squid-users > > > > -- > > David Touzeau - Artica Tech France > > Development team, level 3 support > > ---------------------------------- > > P: +33 6 58 44 69 46 > > www: https://wiki.articatech.com > > www: http://articatech.net > > , > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > > > NO fileref > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users