Simple Kerberos/Squid configuration "received type 1 NTLM token"

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Simple Kerberos/Squid configuration "received type 1 NTLM token"

barbarossa
Hi,

I have a simple configuration of Squid, with a acl to deny access to users that aren't authenticated. I have setup kerberos correctly as the squid server ask tickets. There is no AD, just a kerberos server, squid server and Windows XP clients. The Windows client uses Network Identity Manager (MIT) to create a ticket.

I could not find a solution in the mailing list archives and other places on the internet.

When I use the proxy with Firefox (3.6.10, laterst version, same on IE), I get:

ERROR
Cache Access Denied

While trying to retrieve the URL: http://dd/

The following error was encountered:

    * Cache Access Denied.

Sorry, you are not currently allowed to request:

    http://dd/

from this cache until you have authenticated yourself.

A keytab file for the proxy exists (squid.keytab) and squid has read access to it. This file is created using "addprinc -randkey squid/MYNETWORK.COM"

I added in the top of the /etc/init.d/squid file the following:

KRB5_KTNAME=/etc/squid/squid.keyab
export KRB5_KTNAME

The squid configuration is as following:

uth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow password
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr root@localhost
coredump_dir /var/spool/squid

When accessing squid from Firefox/IE, I get in cache.log:

2010/09/21 11:41:12| squid_kerb_auth: Got 'YR ElRMTVNTUABBAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgDAAAADw==' from squid (length: 59).
2010/09/21 11:41:12| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/09/21 11:41:12| squid_kerb_auth: received type 1 NTLM token

It is strange that the proxy receives NTLM messages, as it is not configured. What is wrong.
Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller
Are the XP users defined in the Kerberos server ?

Markus


"barbarossa" <[hidden email]> wrote in message
news:[hidden email]...

>
> Hi,
>
> I have a simple configuration of Squid, with a acl to deny access to users
> that aren't authenticated. I have setup kerberos correctly as the squid
> server ask tickets. There is no AD, just a kerberos server, squid server
> and
> Windows XP clients. The Windows client uses Network Identity Manager (MIT)
> to create a ticket.
>
> I could not find a solution in the mailing list archives and other places
> on
> the internet.
>
> When I use the proxy with Firefox (3.6.10, laterst version, same on IE), I
> get:
>
> ERROR
> Cache Access Denied
>
> While trying to retrieve the URL: http://dd/
>
> The following error was encountered:
>
>    * Cache Access Denied.
>
> Sorry, you are not currently allowed to request:
>
>    http://dd/
>
> from this cache until you have authenticated yourself.
>
> A keytab file for the proxy exists (squid.keytab) and squid has read
> access
> to it. This file is created using "addprinc -randkey squid/MYNETWORK.COM"
>
> I added in the top of the /etc/init.d/squid file the following:
>
> KRB5_KTNAME=/etc/squid/squid.keyab
> export KRB5_KTNAME
>
> The squid configuration is as following:
>
> uth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl password proxy_auth REQUIRED
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow password
> http_access deny all
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mgr root@localhost
> coredump_dir /var/spool/squid
>
> When accessing squid from Firefox/IE, I get in cache.log:
>
> 2010/09/21 11:41:12| squid_kerb_auth: Got 'YR
> ElRMTVNTUABBAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgDAAAADw==' from squid
> (length: 59).
> 2010/09/21 11:41:12| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/09/21 11:41:12| squid_kerb_auth: received type 1 NTLM token
>
> It is strange that the proxy receives NTLM messages, as it is not
> configured. What is wrong.
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2553379.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>


Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller
Did you configure Firefox to use the MIT gss library using about:config and
setting network.negotiate-auth.gsslib,
network.negotiate-auth.using-native-gsslib ?  If not does NIM  push the
credential cache into the MS credential cache ( I don't recall if NIM can do
that now-a-days) ?

Markus


"Markus Moeller" <[hidden email]> wrote in message
news:i7ic41$si$[hidden email]...

> Are the XP users defined in the Kerberos server ?
>
> Markus
>
>
> "barbarossa" <[hidden email]> wrote in message
> news:[hidden email]...
>>
>> Hi,
>>
>> I have a simple configuration of Squid, with a acl to deny access to
>> users
>> that aren't authenticated. I have setup kerberos correctly as the squid
>> server ask tickets. There is no AD, just a kerberos server, squid server
>> and
>> Windows XP clients. The Windows client uses Network Identity Manager
>> (MIT)
>> to create a ticket.
>>
>> I could not find a solution in the mailing list archives and other places
>> on
>> the internet.
>>
>> When I use the proxy with Firefox (3.6.10, laterst version, same on IE),
>> I
>> get:
>>
>> ERROR
>> Cache Access Denied
>>
>> While trying to retrieve the URL: http://dd/
>>
>> The following error was encountered:
>>
>>    * Cache Access Denied.
>>
>> Sorry, you are not currently allowed to request:
>>
>>    http://dd/
>>
>> from this cache until you have authenticated yourself.
>>
>> A keytab file for the proxy exists (squid.keytab) and squid has read
>> access
>> to it. This file is created using "addprinc -randkey squid/MYNETWORK.COM"
>>
>> I added in the top of the /etc/init.d/squid file the following:
>>
>> KRB5_KTNAME=/etc/squid/squid.keyab
>> export KRB5_KTNAME
>>
>> The squid configuration is as following:
>>
>> uth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl password proxy_auth REQUIRED
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow password
>> http_access deny all
>> icp_access allow all
>> http_port 3128
>> hierarchy_stoplist cgi-bin ?
>> access_log /var/log/squid/access.log squid
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> cache_mgr root@localhost
>> coredump_dir /var/spool/squid
>>
>> When accessing squid from Firefox/IE, I get in cache.log:
>>
>> 2010/09/21 11:41:12| squid_kerb_auth: Got 'YR
>> ElRMTVNTUABBAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgDAAAADw==' from squid
>> (length: 59).
>> 2010/09/21 11:41:12| squid_kerb_auth: parseNegTokenInit failed with
>> rc=101
>> 2010/09/21 11:41:12| squid_kerb_auth: received type 1 NTLM token
>>
>> It is strange that the proxy receives NTLM messages, as it is not
>> configured. What is wrong.
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2553379.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

barbarossa
I want to say that in IE 8 (the only version I used for the proxy), I get a login prompt.

> Are the XP users defined in the Kerberos server ?
>
> Markus

No. I just want to authenticate using the ticket I created. Is this not possible?

>Did you configure Firefox to use the MIT gss library using about:config and
>setting network.negotiate-auth.gsslib,
>network.negotiate-auth.using-native-gsslib ?  If not does NIM  push the
>credential cache into the MS credential cache ( I don't recall if NIM can do
>that now-a-days) ?

Now I tried it with the following values:
*setting network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll
*network.negotiate-auth.using-native-gsslib: false

Is this correct?
Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller

"barbarossa" <[hidden email]> wrote in message
news:[hidden email]...

>
> I want to say that in IE 8 (the only version I used for the proxy), I get
> a
> login prompt.
>
>> Are the XP users defined in the Kerberos server ?
>>
>> Markus
>
> No. I just want to authenticate using the ticket I created. Is this not
> possible?
>
>>Did you configure Firefox to use the MIT gss library using about:config
>>and
>>setting network.negotiate-auth.gsslib,
>>network.negotiate-auth.using-native-gsslib ?  If not does NIM  push the
>>credential cache into the MS credential cache ( I don't recall if NIM can
> do
>>that now-a-days) ?
>
> Now I tried it with the following values:
> *setting network.negotiate-auth.gsslib: C:\Program
> Files\MIT\Kerberos\bin\gssapi32.dll
> *network.negotiate-auth.using-native-gsslib: false
>
> Is this correct?

Yes this should work.

> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2715437.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>


Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller

"Markus Moeller" <[hidden email]> wrote in message
news:i7qqri$kuv$[hidden email]...

>
> "barbarossa" <[hidden email]> wrote in message
> news:[hidden email]...
>>
>> I want to say that in IE 8 (the only version I used for the proxy), I get
>> a
>> login prompt.
>>
>>> Are the XP users defined in the Kerberos server ?
>>>
>>> Markus
>>
>> No. I just want to authenticate using the ticket I created. Is this not
>> possible?
>>
>>>Did you configure Firefox to use the MIT gss library using about:config
>>>and
>>>setting network.negotiate-auth.gsslib,
>>>network.negotiate-auth.using-native-gsslib ?  If not does NIM  push the
>>>credential cache into the MS credential cache ( I don't recall if NIM can
>> do
>>>that now-a-days) ?
>>
>> Now I tried it with the following values:
>> *setting network.negotiate-auth.gsslib: C:\Program
>> Files\MIT\Kerberos\bin\gssapi32.dll
>> *network.negotiate-auth.using-native-gsslib: false
>>
>> Is this correct?
>
> Yes this should work.

Correction. You also have to set:

network.auth.use-sspi      false

Markus
>
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2715437.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

barbarossa
So, I set the following in about:config (Firefox):
*network.auth.use-sspi: false
*network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll
*network.negotiate-auth.using-native-gsslib: false

Then I got in /var/log/squid/cache.log:
squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No principal in keytab matches desired name

After searching the mailinglists, I saw that the principal did exist but I had 2 keytab files. One of them was old and squid used the old one.

Now, Firefox works! Great.

As for IE, it shows a login dialog, when entering username@REALM I get:

2010/09/28 11:44:28| squid_kerb_auth: Got 'YR YIICLgYGKwYBBQUCoIICIjCCAh6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAfQEggHwYIIB7AYJKoZIhvcSAQICAQBuggHbMIIB16ADAgEFoQMCAQ6iBwMFACAAAACjggEFYYIBATCB/qADAgEFoQsbCVZVQi5BQy5CRaImMCSgAwIBAqEdMBsbBEhUVFAbE2JpYmxwYzA4My5WVUIuQUMuQkWjgcEwgb6gAwIBF6EDAgEDooGxBIGuRlcmAe5EkRJ96vVgsuXySbzRyqbhbf0Ciymg0M2PTGhZzGNygccoy7qFrSK0IL1mlFZrtR/9kjAFvEOrbi5MQKvhTKelWJ+AW5sNSv0MCLrifZ9I4iYVzC8ykuEuynLFVNrFrXvR1X8o9GE0WKBiQH1qGrLPihRqqxVTwPIYFjvJHfOj4hNQKYoNgTPe8gyVOcoFNgSKM5x8nvUo7yMkMGDZl37rKEN+SF5T1RclpIG4MIG1oAMCAReiga0EgaohkYCppLKIRyD9lOdHwFa892QilUpoDEON8P6RpBbDaANc/2QRKk3inxTujwUzUuDZ7yd2w7oYHzRtnT8I2UUWN31lPIZpinURAtVq87klW9SCQkjBy7Kco2HdvicJnwUcnpk28X0nOsjol0Mm+4ysDDBe4aCzN3Qd6fjdsOvH8/Eh5ckCMlBTr3sLhrfmQGnmmqAHztvL54g87c2Qq+xHvvU5F/6pIE/U7Q==' from squid (length: 755).
2010/09/28 11:44:28| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/09/28 11:44:28| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Key table entry not found

So, IE does not use the MIT kerberos ticket I created. Is there a way to configure it?

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller

"barbarossa" <[hidden email]> wrote in message
news:[hidden email]...

>
> So, I set the following in about:config (Firefox):
> *network.auth.use-sspi: false
> *network.negotiate-auth.gsslib: C:\Program
> Files\MIT\Kerberos\bin\gssapi32.dll
> *network.negotiate-auth.using-native-gsslib: false
>
> Then I got in /var/log/squid/cache.log:
> squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure.
> Minor
> code may provide more information. No principal in keytab matches desired
> name
>
> After searching the mailinglists, I saw that the principal did exist but I
> had 2 keytab files. One of them was old and squid used the old one.
>
> Now, Firefox works! Great.
>
> As for IE, it shows a login dialog, when entering username@REALM I get:
>
> 2010/09/28 11:44:28| squid_kerb_auth: Got 'YR
> YIICLgYGKwYBBQUCoIICIjCCAh6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAfQEggHwYIIB7AYJKoZIhvcSAQICAQBuggHbMIIB16ADAgEFoQMCAQ6iBwMFACAAAACjggEFYYIBATCB/qADAgEFoQsbCVZVQi5BQy5CRaImMCSgAwIBAqEdMBsbBEhUVFAbE2JpYmxwYzA4My5WVUIuQUMuQkWjgcEwgb6gAwIBF6EDAgEDooGxBIGuRlcmAe5EkRJ96vVgsuXySbzRyqbhbf0Ciymg0M2PTGhZzGNygccoy7qFrSK0IL1mlFZrtR/9kjAFvEOrbi5MQKvhTKelWJ+AW5sNSv0MCLrifZ9I4iYVzC8ykuEuynLFVNrFrXvR1X8o9GE0WKBiQH1qGrLPihRqqxVTwPIYFjvJHfOj4hNQKYoNgTPe8gyVOcoFNgSKM5x8nvUo7yMkMGDZl37rKEN+SF5T1RclpIG4MIG1oAMCAReiga0EgaohkYCppLKIRyD9lOdHwFa892QilUpoDEON8P6RpBbDaANc/2QRKk3inxTujwUzUuDZ7yd2w7oYHzRtnT8I2UUWN31lPIZpinURAtVq87klW9SCQkjBy7Kco2HdvicJnwUcnpk28X0nOsjol0Mm+4ysDDBe4aCzN3Qd6fjdsOvH8/Eh5ckCMlBTr3sLhrfmQGnmmqAHztvL54g87c2Qq+xHvvU5F/6pIE/U7Q=='
> from squid (length: 755).
> 2010/09/28 11:44:28| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/09/28 11:44:28| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. Key
> table
> entry not found

This does not look to bad as it seems to be a Kerberos not a NTLM token. Did
you use the correct fqdn for the squid proxy in your IE configuration (e.g.
the exact same name as used for the keytab entry ) ? Can you capture the
traffic to squid ( usually port 3128) with wireshark ?  It should tell you
the details of the ticket from the Negotiate exchange.

>
> So, IE does not use the MIT kerberos ticket I created. Is there a way to
> configure it?
>

What you might be able to do and want already seems to have happend is that
XP is looking for a kdc via DNS.  Can you check the DNS port 53 traffic and
Kerberos traffic on port 88 from your XP system using wireshark ?

> Thanks.
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2717106.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>


Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

barbarossa
I don't know why, but authenticating in the IE login dialog using kerberos credentials works now (user@REALM.COM, same as for FF).

For most of the page requests, squid writes to cache.log logs as the following:

2010/09/29 11:19:50| squid_kerb_auth: Got 'YR YIICOQYGKwYBBQUCoIICLTCCAimgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAf8EggH7YIIB9wYJKoZIhvcSAQICAQBuggHmMIIB4qADAgEFoQMCAQ6iBwMFACAAAACjggEMYYIBCDCCAQSgAwIBBaELGwlWVUIuQUMuQkWiJjAkoAMCAQKhHTAbGwRIVFRQGxNiaWJscGMwODMudnViLmFjLmJlo4HHMIHEoAMCARChAwIBB6KBtwSBtPoenXEkU4igJAThT303vjwwg341PcMmhtLaUG2gZmawDKB/X3sNckogjaW8Wi369+gAImmO6wDwI+Yk8ZTvkBrLWhtBZqUuYteErlaOganW5aNwOYFAs14RMtlafCNtiZfwAQwPM56aNMDEykBXu9k6y00LDkExdAHlWX1DySmoI8r0W281EKmQ/QyUiZcahoHepQiXrW7JdnFicdcYqmLq2rkMlGzJnUyhVO+vA5PE7pmlq6SBvDCBuaADAgEXooGxBIGuT/78/guqfh1tzh/JOmeIiEzL3m3ZLNkMIWyqvoq23+ZEKBVZTWK1XPbg3cczH1L2S0tm2tLRjIyZQWmW8SkyMLFNgB7krSQBmqLQ4sTxsVCKtcRFwPsqZD5YL6Enzh/gTcYP/WgfncPOaD2+/tT7NYzxedaoHjfg5WbS163YujIu7eMHh2xQ08n53JBhhwDfOQdAtnSrlNgUsoQJwPsL+6eDziGQKcEFFw9MM8dJ' from squid (length: 767).
2010/09/29 11:19:50| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/09/29 11:19:50| squid_kerb_auth: AF oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWktM3mOHT3CdVuGDl7VN64DKZ478GfooqXyH+JFSlneeXjdxNpRCxIF1JD0mfn+gLL0ud5P7SOHMbDX3cDj4B14ghldzGdKUyoFBZbGKoNSZMT3sCDEw0Gx2MA== user@REALM.COM

Is this normal?

As for IE, it probably deletes the ticket it created when exiting, as each time I exit I must reauthenticate.  Why does it not use the MIT ticket? Is there a solution for this (creating "Windows" Kerberos tickets, configuring IE to use MIT tickets, ...).

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller

"barbarossa" <[hidden email]> wrote in message
news:[hidden email]...

>
> I don't know why, but authenticating in the IE login dialog using kerberos
> credentials works now ([hidden email], same as for FF).
>
> For most of the page requests, squid writes to cache.log logs as the
> following:
>
> 2010/09/29 11:19:50| squid_kerb_auth: Got 'YR
> YIICOQYGKwYBBQUCoIICLTCCAimgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAf8EggH7YIIB9wYJKoZIhvcSAQICAQBuggHmMIIB4qADAgEFoQMCAQ6iBwMFACAAAACjggEMYYIBCDCCAQSgAwIBBaELGwlWVUIuQUMuQkWiJjAkoAMCAQKhHTAbGwRIVFRQGxNiaWJscGMwODMudnViLmFjLmJlo4HHMIHEoAMCARChAwIBB6KBtwSBtPoenXEkU4igJAThT303vjwwg341PcMmhtLaUG2gZmawDKB/X3sNckogjaW8Wi369+gAImmO6wDwI+Yk8ZTvkBrLWhtBZqUuYteErlaOganW5aNwOYFAs14RMtlafCNtiZfwAQwPM56aNMDEykBXu9k6y00LDkExdAHlWX1DySmoI8r0W281EKmQ/QyUiZcahoHepQiXrW7JdnFicdcYqmLq2rkMlGzJnUyhVO+vA5PE7pmlq6SBvDCBuaADAgEXooGxBIGuT/78/guqfh1tzh/JOmeIiEzL3m3ZLNkMIWyqvoq23+ZEKBVZTWK1XPbg3cczH1L2S0tm2tLRjIyZQWmW8SkyMLFNgB7krSQBmqLQ4sTxsVCKtcRFwPsqZD5YL6Enzh/gTcYP/WgfncPOaD2+/tT7NYzxedaoHjfg5WbS163YujIu7eMHh2xQ08n53JBhhwDfOQdAtnSrlNgUsoQJwPsL+6eDziGQKcEFFw9MM8dJ'
> from squid (length: 767).
> 2010/09/29 11:19:50| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/09/29 11:19:50| squid_kerb_auth: AF
> oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWktM3mOHT3CdVuGDl7VN64DKZ478GfooqXyH+JFSlneeXjdxNpRCxIF1JD0mfn+gLL0ud5P7SOHMbDX3cDj4B14ghldzGdKUyoFBZbGKoNSZMT3sCDEw0Gx2MA==
> [hidden email]
>
> Is this normal?
>

Yes this (parseNegTokenInit failed with rc=102) is normal for a Kerberos
library which does not support SPNEGO natively.

> As for IE, it probably deletes the ticket it created when exiting, as each
> time I exit I must reauthenticate.  Why does it not use the MIT ticket? Is
> there a solution for this (creating "Windows" Kerberos tickets,
> configuring
> IE to use MIT tickets, ...).
>

This is a security feature in Windows. It is not possible for an external
application to write into the ticket cache. For Vista/7 it might be
possible, but I think the netidmgr has not implemented it.

You could setup your systems to authenticate users against the kdc e.g. use
the kdc like an AD server together with a mapping of local users to kdc
users.  (There have been glogs about this although I don't reacll the link)

> Thanks!
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2718780.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>

Markus


Reply | Threaded
Open this post in threaded view
|

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

Markus Moeller

"Markus Moeller" <[hidden email]> wrote in message
news:i806q2$qmh$[hidden email]...

>
> "barbarossa" <[hidden email]> wrote in message
> news:[hidden email]...
>>
>> I don't know why, but authenticating in the IE login dialog using
>> kerberos
>> credentials works now ([hidden email], same as for FF).
>>
>> For most of the page requests, squid writes to cache.log logs as the
>> following:
>>
>> 2010/09/29 11:19:50| squid_kerb_auth: Got 'YR
>> YIICOQYGKwYBBQUCoIICLTCCAimgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAf8EggH7YIIB9wYJKoZIhvcSAQICAQBuggHmMIIB4qADAgEFoQMCAQ6iBwMFACAAAACjggEMYYIBCDCCAQSgAwIBBaELGwlWVUIuQUMuQkWiJjAkoAMCAQKhHTAbGwRIVFRQGxNiaWJscGMwODMudnViLmFjLmJlo4HHMIHEoAMCARChAwIBB6KBtwSBtPoenXEkU4igJAThT303vjwwg341PcMmhtLaUG2gZmawDKB/X3sNckogjaW8Wi369+gAImmO6wDwI+Yk8ZTvkBrLWhtBZqUuYteErlaOganW5aNwOYFAs14RMtlafCNtiZfwAQwPM56aNMDEykBXu9k6y00LDkExdAHlWX1DySmoI8r0W281EKmQ/QyUiZcahoHepQiXrW7JdnFicdcYqmLq2rkMlGzJnUyhVO+vA5PE7pmlq6SBvDCBuaADAgEXooGxBIGuT/78/guqfh1tzh/JOmeIiEzL3m3ZLNkMIWyqvoq23+ZEKBVZTWK1XPbg3cczH1L2S0tm2tLRjIyZQWmW8SkyMLFNgB7krSQBmqLQ4sTxsVCKtcRFwPsqZD5YL6Enzh/gTcYP/WgfncPOaD2+/tT7NYzxedaoHjfg5WbS163YujIu7eMHh2xQ08n53JBhhwDfOQdAtnSrlNgUsoQJwPsL+6eDziGQKcEFFw9MM8dJ'
>> from squid (length: 767).
>> 2010/09/29 11:19:50| squid_kerb_auth: parseNegTokenInit failed with
>> rc=102
>> 2010/09/29 11:19:50| squid_kerb_auth: AF
>> oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWktM3mOHT3CdVuGDl7VN64DKZ478GfooqXyH+JFSlneeXjdxNpRCxIF1JD0mfn+gLL0ud5P7SOHMbDX3cDj4B14ghldzGdKUyoFBZbGKoNSZMT3sCDEw0Gx2MA==
>> [hidden email]
>>
>> Is this normal?
>>
>
> Yes this (parseNegTokenInit failed with rc=102) is normal for a Kerberos
> library which does not support SPNEGO natively.
>
>> As for IE, it probably deletes the ticket it created when exiting, as
>> each
>> time I exit I must reauthenticate.  Why does it not use the MIT ticket?
>> Is
>> there a solution for this (creating "Windows" Kerberos tickets,
>> configuring
>> IE to use MIT tickets, ...).
>>
>
> This is a security feature in Windows. It is not possible for an external
> application to write into the ticket cache. For Vista/7 it might be
> possible, but I think the netidmgr has not implemented it.
>
> You could setup your systems to authenticate users against the kdc e.g.
> use the kdc like an AD server together with a mapping of local users to
> kdc users.  (There have been glogs about this although I don't reacll the
> link)
>

This might be a starting point
http://technet.microsoft.com/en-us/library/cc736890%28WS.10%29.aspx and
http://sial.org/howto/kerberos/windows/

>> Thanks!
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2718780.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>
> Markus
>
>