Kerberos and NTLM authentication

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos and NTLM authentication

Delton
Dear Sirs,

I configured Squid 3.3.3 with Kerberos and NTLM authentication successfully.
When I enable only Kerberos authentication, domain computers browse
normally and there is no password required.
When I enable only NTLM authentication, domain computers also browse
normally and there is no password required.
The problems start when you need to allow access to devices that are not
part of the domain:

1 - If I enable Kerberos authentication and the device is not part of
the domain is prompted for the password. Even informing the password
access is not granted;
2 - If I enable NTLM authentication with "helper-protocol =
squid-2.5-ntlmssp" and the device is not part of the domain is prompted
for the password. Even informing the password access is not granted;
3 - If I enable NTLM authentication with "helper-protocol =
squid-2.5-basic" and the device is not part of the domain is prompted
for the password. Informing the password access is granted. In this case
the password is also requested to domain users.

I read in http://wiki.squid-cache.org/Features/Authentication that the
Squid can use different authentication mechanisms simultaneously.
I hoped that when Kerberos authentication failed NTLM authentication work.
Am I doing something wrong?
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Carlos Defoe
I think the BCP (best current practice) is to use, in sequence:

1) negotiate_wrapper configured with kerberos and ntlm
2) pure ntlm with ntlm_auth
3) one basic auth of your choice

Inserting those three methods in sequence on your squid.conf will do the job.

If you have problems with prompted auth, try inserting the user domain
when authenticating, like "MYDOMAIN\myusername". I've found that
Internet Explorer needs this.
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Delton
That's what (I think) I tried:

auth_param negotiate program /usr/local/bin/squid_kerb_auth -d -s
HTTP/squidserver.bnpapeis.local
auth_param negotiate children 5
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl users proxy_auth REQUIRED
http_access allow users

All authentication mechanisms work when only one is used. I also tried
to inform DOMAIN\user in Internet Explorer and Firefox.

Em 15/05/2013 14:31, Carlos Defoe escreveu:

> I think the BCP (best current practice) is to use, in sequence:
>
> 1) negotiate_wrapper configured with kerberos and ntlm
> 2) pure ntlm with ntlm_auth
> 3) one basic auth of your choice
>
> Inserting those three methods in sequence on your squid.conf will do the job.
>
> If you have problems with prompted auth, try inserting the user domain
> when authenticating, like "MYDOMAIN\myusername". I've found that
> Internet Explorer needs this.
>

Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Brett Lymn-2
On Wed, May 15, 2013 at 03:45:28PM -0300, Delton wrote:

> That's what (I think) I tried:
>
> auth_param negotiate program /usr/local/bin/squid_kerb_auth -d -s
> HTTP/squidserver.bnpapeis.local
> auth_param negotiate children 5
> auth_param negotiate keep_alive on
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl users proxy_auth REQUIRED
> http_access allow users
>
> All authentication mechanisms work when only one is used. I also tried
> to inform DOMAIN\user in Internet Explorer and Firefox.
>

For machines not on the domain using IE go into the advanced settings and
untick "enable Integrated Windows Authentication".

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."


Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Carlos Defoe
As far as i know, the only auth mech that will prompt for password is
the basic one, so you're not enabling one per time.

But all three enabled shouldn't give you problems anyway...

Try setting
auth_param negotiate keep_alive off
and
auth_param ntlm keep_alive off

Add "--diagnostics" to ntlm_auth lines, so you get more info while debugging.

Also, try two helpers at a time, commenting those negotiate lines, for
example, and try to authenticate in a non-domain machine.

On Wed, May 15, 2013 at 8:28 PM, Brett Lymn <[hidden email]> wrote:

> On Wed, May 15, 2013 at 03:45:28PM -0300, Delton wrote:
>> That's what (I think) I tried:
>>
>> auth_param negotiate program /usr/local/bin/squid_kerb_auth -d -s
>> HTTP/squidserver.bnpapeis.local
>> auth_param negotiate children 5
>> auth_param negotiate keep_alive on
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 30
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>> acl users proxy_auth REQUIRED
>> http_access allow users
>>
>> All authentication mechanisms work when only one is used. I also tried
>> to inform DOMAIN\user in Internet Explorer and Firefox.
>>
>
> For machines not on the domain using IE go into the advanced settings and
> untick "enable Integrated Windows Authentication".
>
> --
> Brett Lymn
> "Warning:
> The information contained in this email and any attached files is
> confidential to BAE Systems Australia. If you are not the intended
> recipient, any use, disclosure or copying of this email or any
> attachments is expressly prohibited.  If you have received this email
> in error, please notify us immediately. VIRUS: Every care has been
> taken to ensure this email and its attachments are virus free,
> however, any loss or damage incurred in using this email is not the
> sender's responsibility.  It is your responsibility to ensure virus
> checks are completed before installing any data sent in this email to
> your computer."
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Brett Lymn-2
On Wed, May 15, 2013 at 10:00:18PM -0300, Carlos Defoe wrote:
> As far as i know, the only auth mech that will prompt for password is
> the basic one, so you're not enabling one per time.
>

I believed that IE will prompt credentials when using NTLM
iff the machine is not part of the domain.  It also seems that it will
prompt if the proxy is configured for kerberos and basic auth but the
machine is not part of the domain so kerberos won't work, in this case
the authentication never succeeds (hence why I suggested turning off
IWA).  Not sure if this behaviour is a bug or desired behaviour.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."


Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Delton
Guys,

I ran some more tests.
Only authentication with 'Basic' - worked on devices inside and outside
the domain, but asks for password;
With only authentication 'Kerberos' - worked in the domain and does not
prompt for password;
Authentication 'Kerberos' and 'Basic':
1 - worked in the domain but asked the password out of the domain;
2 - out of the domain in 'Internet Explorer' without integrated
authentication in the format DOMAIN\user worked;
3 - adding the 'auth_param negotiate keep_alive off' option, worked in
Firefox and worked in 'Internet Explorer' with the integrated
authentication option checked.

In short, adding the option 'auth_param negotiate keep_alive off'
worked. In Firefox you can simply enter the username and password and
the 'Internet Explorer' is necessary to inform DOMAIN\user.

Em 15/05/2013 22:12, Brett Lymn escreveu:

> On Wed, May 15, 2013 at 10:00:18PM -0300, Carlos Defoe wrote:
>> As far as i know, the only auth mech that will prompt for password is
>> the basic one, so you're not enabling one per time.
>>
> I believed that IE will prompt credentials when using NTLM
> iff the machine is not part of the domain.  It also seems that it will
> prompt if the proxy is configured for kerberos and basic auth but the
> machine is not part of the domain so kerberos won't work, in this case
> the authentication never succeeds (hence why I suggested turning off
> IWA).  Not sure if this behaviour is a bug or desired behaviour.
>

Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and NTLM authentication

Markus Moeller
If the PC which is not in the domain has WINS configured via DHCP you should
also be able to use Kerberos with user@DOMAIN and domain password in the
popup.

Markus

"Delton" <[hidden email]> wrote in message
news:[hidden email]...

> Guys,
>
> I ran some more tests.
> Only authentication with 'Basic' - worked on devices inside and outside
> the domain, but asks for password;
> With only authentication 'Kerberos' - worked in the domain and does not
> prompt for password;
> Authentication 'Kerberos' and 'Basic':
> 1 - worked in the domain but asked the password out of the domain;
> 2 - out of the domain in 'Internet Explorer' without integrated
> authentication in the format DOMAIN\user worked;
> 3 - adding the 'auth_param negotiate keep_alive off' option, worked in
> Firefox and worked in 'Internet Explorer' with the integrated
> authentication option checked.
>
> In short, adding the option 'auth_param negotiate keep_alive off' worked.
> In Firefox you can simply enter the username and password and the
> 'Internet Explorer' is necessary to inform DOMAIN\user.
>
> Em 15/05/2013 22:12, Brett Lymn escreveu:
>> On Wed, May 15, 2013 at 10:00:18PM -0300, Carlos Defoe wrote:
>>> As far as i know, the only auth mech that will prompt for password is
>>> the basic one, so you're not enabling one per time.
>>>
>> I believed that IE will prompt credentials when using NTLM
>> iff the machine is not part of the domain.  It also seems that it will
>> prompt if the proxy is configured for kerberos and basic auth but the
>> machine is not part of the domain so kerberos won't work, in this case
>> the authentication never succeeds (hence why I suggested turning off
>> IWA).  Not sure if this behaviour is a bug or desired behaviour.
>>
>
>