squid_kerb_auth received type 1 NTLM token

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

squid_kerb_auth received type 1 NTLM token

lieven-2
Dear list,

I have currently a problem where it seems that my clients, webbrowsers
firefox 3.5 and IE8 only seem to return NTLM tokens as authentication
instead of kerberos.

This is the error in the cache log from squid:

...
squid_kerb_auth: WARNING: received type 1 NTLM token
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH received type 1 NTLM token'
...


squid has been configured like this:
./configure --enable-negotiate-auth-helpers=squid_kerb_auth
--enable-stacktraces --prefix=/opt/squid-3.1.3
make and make install went fine.

the squid box is a cleanly installed debian lenny i386.

Squid itself seems to run fine, I can browse through it.

Then my goal to use kerberos authentication fails with the error above.
in my krb5.conf I have the following info in my realm:
    kdc = xxx.xxx.xxx.xxx
    admin_server = xxx.xxx.xxx.xxx
these are the libdefaults:
[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    default_keytab_name = /etc/HTTP.keytab
    ticket_lifetime = 24h

the /etc/HTTP.keytab file is like this:
-rw-r----- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab
squid is running as user "squid"

First I got a kerberos ticket with:
kinit administrator
I can see a krbtgt ticket with klist.

I'm trying to authenticate against a windows 2008 dc and I used msktutil
like this:
msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k
/etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local
--server ad2008srvr.domain.local --verbose --enctypes 28

The squid config file is quiete basic. (only relevant parts here - I think)
auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl AUTHENTICATED proxy_auth REQUIRED
http_access allow AUTHENTICATED


DNS seems to work alright, the AD server is used for dns and has a
working A and PTR record for the squid3-proxy.domain.local server
because the A and PTR lookups return the correct results when run from
the server and from the clients.

Is there anybody out there who can help me troubleshoot this problem?
I found tutorials where the keytab file is created on the windows server
but that's not necessary if I use the msktutil, right?

thanks a lot. I'v been trying to get this to work for some time now.

cheers,
Lieven

Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

Markus Moeller
Can you get a wireshark capture of port 53 (dns) and port 88(kerberos) and
port 3128(squid) from your client machine when you try to surf ? Can you
also install kerbtray from microsoft to list tickets in your clients
kerberos cache ?

Regards
Markus


"Lieven" <[hidden email]> wrote in message news:[hidden email]...

> Dear list,
>
> I have currently a problem where it seems that my clients, webbrowsers
> firefox 3.5 and IE8 only seem to return NTLM tokens as authentication
> instead of kerberos.
>
> This is the error in the cache log from squid:
>
> ...
> squid_kerb_auth: WARNING: received type 1 NTLM token
> authenticateNegotiateHandleReply: Error validating user via Negotiate.
> Error returned 'BH received type 1 NTLM token'
> ...
>
>
> squid has been configured like this:
> ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces
>  --prefix=/opt/squid-3.1.3
> make and make install went fine.
>
> the squid box is a cleanly installed debian lenny i386.
>
> Squid itself seems to run fine, I can browse through it.
>
> Then my goal to use kerberos authentication fails with the error above.
> in my krb5.conf I have the following info in my realm:
>    kdc = xxx.xxx.xxx.xxx
>    admin_server = xxx.xxx.xxx.xxx
> these are the libdefaults:
> [libdefaults]
>    default_realm = DOMAIN.LOCAL
>    dns_lookup_kdc = no
>    dns_lookup_realm = no
>    default_keytab_name = /etc/HTTP.keytab
>    ticket_lifetime = 24h
>
> the /etc/HTTP.keytab file is like this:
> -rw-r----- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab
> squid is running as user "squid"
>
> First I got a kerberos ticket with:
> kinit administrator
> I can see a krbtgt ticket with klist.
>
> I'm trying to authenticate against a windows 2008 dc and I used msktutil
> like this:
> msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k
> /etc/HTTP.keytab --computer-name squid3-proxy --upn
> HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28
>
> The squid config file is quiete basic. (only relevant parts here - I
> think)
> auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl AUTHENTICATED proxy_auth REQUIRED
> http_access allow AUTHENTICATED
>
>
> DNS seems to work alright, the AD server is used for dns and has a working
> A and PTR record for the squid3-proxy.domain.local server because the A
> and PTR lookups return the correct results when run from the server and
> from the clients.
>
> Is there anybody out there who can help me troubleshoot this problem?
> I found tutorials where the keytab file is created on the windows server
> but that's not necessary if I use the msktutil, right?
>
> thanks a lot. I'v been trying to get this to work for some time now.
>
> cheers,
> Lieven
>
>


Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

Lieven-4
In reply to this post by lieven-2
Hello Markus,

Sorry for my slow reaction.


1) I did a klist on the squid server and got this ticket:

squid3-proxy:/var/log/squid-3.1.3# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]
Valid starting     Expires            Service principal
05/09/10 14:35:00  05/10/10 00:34:04  krbtgt/[hidden email]
    renew until 05/10/10 14:35:00
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

=> Do I have to renew this ticket from the server everyday? I thought that I
only needed this ticket once to get my squid server into the AD domain
with the
msktutil?


2) I installed the kerbtray tool from the windows 2003 tools on my xp pc.
My xp pc is connected via a windows vpn for this test, I logon with my
domain
credentials, connecting to vpn works fine, As soon as I try to connect
to a site
via the squid3-proxy server, I get one ticket in kerbtray.
This is the only ticket I have in the list:
krbtgt/DOMAIN.LOCAL for the client principal: [hidden email]
the service name is: krbtgt/[hidden email]
target name is: krbtgt/[hidden email]
flags: forwardable, renewable, preauthenticated, initial
encryption types: ticket encryption time: etype 18 and key encryption
type: etype 0

regarding DNS, I doublechecked and A and PTR lookup are ok from the client.


3) When I open a site in my firefox browser on the client where I put
the fqdn
name as proxyserver, I see following in the cache.log on squid:

2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
length: 40).
2010/05/09 14:59:03| squid_kerb_auth: WARNING: received type 1 NTLM token
2010/05/09 14:59:03| authenticateNegotiateHandleReply: Error validating
user via
Negotiate. Error returned 'BH received type 1 NTLM token'
2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
length: 40).
2010/05/09 14:59:04| squid_kerb_auth: WARNING: received type 1 NTLM token
2010/05/09 14:59:04| authenticateNegotiateHandleReply: Error validating
user via
Negotiate. Error returned 'BH received type 1 NTLM token'


4) It seems that winpcap 4.1 which I installed on my client is not able
to scan
the ppp interface which I use to connect to the windows vpn.
I will send a dump from that traffic as soon as I have access to a pc at the
location. (non vpn)

How do I add a dump from wireshark?
I got a tcpdump on the squid server which I opened in wireshark and then I
exported it as a plaintext file (all captured traffic, 49 packets) but it's
quiete large. (about 917 lines)


Thanks for your help.

kind regards,
Lieven
Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

Markus Moeller
Hi Lieven

"Lieven" <[hidden email]> wrote in message
news:[hidden email]...

> Hello Markus,
>
> Sorry for my slow reaction.
>
>
> 1) I did a klist on the squid server and got this ticket:
>
> squid3-proxy:/var/log/squid-3.1.3# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [hidden email]
> Valid starting     Expires            Service principal
> 05/09/10 14:35:00  05/10/10 00:34:04  krbtgt/[hidden email]
>    renew until 05/10/10 14:35:00
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> => Do I have to renew this ticket from the server everyday? I thought that
> I
> only needed this ticket once to get my squid server into the AD domain
> with the
> msktutil?
>


As you say this is only for the one time use of msktutil.

>
> 2) I installed the kerbtray tool from the windows 2003 tools on my xp pc.
> My xp pc is connected via a windows vpn for this test, I logon with my
> domain
> credentials, connecting to vpn works fine, As soon as I try to connect to
> a site
> via the squid3-proxy server, I get one ticket in kerbtray.
> This is the only ticket I have in the list:
> krbtgt/DOMAIN.LOCAL for the client principal: [hidden email]
> the service name is: krbtgt/[hidden email]
> target name is: krbtgt/[hidden email]
> flags: forwardable, renewable, preauthenticated, initial
> encryption types: ticket encryption time: etype 18 and key encryption
> type: etype 0
>

That looks good

> regarding DNS, I doublechecked and A and PTR lookup are ok from the
> client.
>
>
> 3) When I open a site in my firefox browser on the client where I put the
> fqdn

What you should see is a request from the client to Active Directory asking
for a TGS for HTTP/<fqdn of proxy>.  If that does not happen or get refused
by AD the client will fall back to NTLM (wrapped into the Negotiate
response) which is waht you see on the proxy.

> name as proxyserver, I see following in the cache.log on squid:
>
> 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/05/09 14:59:03| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2010/05/09 14:59:03| authenticateNegotiateHandleReply: Error validating
> user via
> Negotiate. Error returned 'BH received type 1 NTLM token'
> 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/05/09 14:59:04| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2010/05/09 14:59:04| authenticateNegotiateHandleReply: Error validating
> user via
> Negotiate. Error returned 'BH received type 1 NTLM token'
>
>
> 4) It seems that winpcap 4.1 which I installed on my client is not able to
> scan
> the ppp interface which I use to connect to the windows vpn.
> I will send a dump from that traffic as soon as I have access to a pc at
> the
> location. (non vpn)
>
> How do I add a dump from wireshark?
> I got a tcpdump on the squid server which I opened in wireshark and then I
> exported it as a plaintext file (all captured traffic, 49 packets) but
> it's
> quiete large. (about 917 lines)
>

In wireshark you can select the lines you want to export (e.g. only port 88
and port 53) as a .cap file.

>
> Thanks for your help.
>
> kind regards,
> Lieven
>

Regards
Markus


Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

lieven-2
In reply to this post by lieven-2
Hello again,

This time, I got access to a pc in the AD domain.

When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
 From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown

It looks like this: (only krb5 and some tcp lines)
1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
2. client -> server: AS-REQ
3. server -> client: KRB Error: krb5kdc_err_preauth_required
4. client -> server: AS-REQ
5. server -> client: AS-REP
6. client -> server: AS-REQ
7. server -> client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7

this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.

Here is a detail from the error packet principal unknown:
No.     Time        Source                Destination           Protocol
Info
       6 0.009940    X.X.X.X          X.X.X.X          KRB5     KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
     Record Mark: 121 bytes
     Pvno: 5
     MSG Type: KRB-ERROR (30)
     stime: 2010-05-11 10:44:11 (UTC)
     susec: 313474
     error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
     Realm: DOMAIN.LOCAL
     Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
         Name-type: Service and Instance (2)
         Name: HTTP
         Name: squid3-proxy.domain.local

On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)

DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local

The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type)

The client principal is [hidden email]


I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is squid3-proxy.domain.local)



Next, I tried to follow the requests on port 3128 tcp to the proxyserver:

1) the client requests a webpage to the proxyserver on port 3128: "GET
http://www.google.be/ HTTP/1.1" (http protocol)
2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
Requied (text/html)"
3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE"

Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.

The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.

In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.



Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
etc...

Any clues welcome.

thanks,

Lieven

--

Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem

Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032 (0)16 29 80 45

lieven.vcf (300 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

lieven-2
How can I check this bind compatibility? The server is a windows 2008 so
I assumed it just used kerberos when I added the vista pc to the domain.

Yes, I have the same visible behavior with an xp client although I could
  not check wireshark on port 88 because the xp is connected via vpn.

thanks,
Lieven


Tim Neto wrote:

> How is the Vista machine bound to the Active Directory domain?  NTLM
> compatibility?  Does the same behavior occur with an XP client?
>
> ----------------------------------------------------------------------
> Timothy E. Neto
> Computer Systems Engineer     SMS Construction and Mining Systems Inc.
> E-M: [hidden email]        5985 McLaughlin Road
> Ph#: 905-283-2770 x265        Mississauga, Canada
> Fax: 905-283-2779             L5R 1B8
> ----------------------------------------------------------------------
>
>
> On 5/11/2010 8:27 AM, lieven wrote:
>> Hello again,
>>
>> This time, I got access to a pc in the AD domain.
>>
>> When I monitor for both udp and tcp port 88, there is krb communication
>> to be seen but it doesn't look right.
>>   From AD server to client I see the following error:
>> krb5kdc_err_s_principal_unknown
>>
>> It looks like this: (only krb5 and some tcp lines)
>> 1. server ->  client: Krb Error: krb5kdc_err_s_principal_unknown
>> 2. client ->  server: AS-REQ
>> 3. server ->  client: KRB Error: krb5kdc_err_preauth_required
>> 4. client ->  server: AS-REQ
>> 5. server ->  client: AS-REP
>> 6. client ->  server: AS-REQ
>> 7. server ->  client: KRB Error: krb5kdc_err_preauth_required
>> ...{4-7} X7
>>
>> this sequence, starting from 3 is repeated a few times, as many times as
>> I had to enter credentials in IE popup.
>>
>> Here is a detail from the error packet principal unknown:
>> No.     Time        Source                Destination           Protocol
>> Info
>>         6 0.009940    X.X.X.X          X.X.X.X          KRB5     KRB
>> Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>>
>> Frame 6 (179 bytes on wire, 179 bytes captured)
>> Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
>> Dell_48:f3:90 (00:24:e8:48:f3:90)
>> Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
>> Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
>> (65248), Seq: 1, Ack: 1660, Len: 125
>> Kerberos KRB-ERROR
>>       Record Mark: 121 bytes
>>       Pvno: 5
>>       MSG Type: KRB-ERROR (30)
>>       stime: 2010-05-11 10:44:11 (UTC)
>>       susec: 313474
>>       error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>>       Realm: DOMAIN.LOCAL
>>       Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
>>           Name-type: Service and Instance (2)
>>           Name: HTTP
>>           Name: squid3-proxy.domain.local
>>
>> On this client pc, it is a windows vista, I have different kerberos
>> tickets: (as per kerbtray)
>>
>> DOMAIN.LOCAL
>> |_ cifs/adserver1.domain.local
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ LDAP/adserver1.domin.local/domain.local
>> |_ ProtectedStorage/adserver1.domain.local
>>
>> The encryption types are for all tickets:
>> Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
>> type)
>>
>> The client principal is [hidden email]
>>
>>
>> I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
>> lookup of the requested site and then a reply from the adserver (also
>> dns) with the ip of the site.
>> I don't see any lookup of the proxy-server fqdn that is put as the
>> connection proxy setting in the browser. (it is
>> squid3-proxy.domain.local)
>>
>>
>>
>> Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
>>
>> 1) the client requests a webpage to the proxyserver on port 3128: "GET
>> http://www.google.be/ HTTP/1.1" (http protocol)
>> 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
>> Requied (text/html)"
>> 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
>> NTLMSSP_NEGOTIATE"
>>
>> Between each point there is some tcp syn/ack/fin traffic which I can
>> post if needed.
>>
>> The last 2 points are repeated a few times where the proxy requests
>> authentication, expecting kerberos and the client responding with ntlm
>> for some reason.
>>
>> In Firefox, It is the same as IE, proxy auth required followd by an
>> ntlmssp_negotiate from the client.
>>
>>
>>
>> Why I don't get kerberos to work is a mistery to me as it seems to work
>> in the domain itself when computers authenticate to get access to shares
>> etc...
>>
>> Any clues welcome.
>>
>> thanks,
>>
>> Lieven
>>
>>
>
> WARNING: This electronic transmission contains confidential information,
> intended only for the person(s) named above, and is privileged. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or any other use of this email is
> strictly prohibited. If you have received this transmission by error,
> please notify us immediately by return email and destroy the original
> transmission immediately and all copies thereof.
>
> AVIS IMPORTANT: Cette transmission électronique est strictement réservée
> à l'usage de la (des) personne(s) à qui elle est adressée et contient
> des informations privilégiées et confidentielles. Toute divulgation,
> distribution, copie, ou autre utilisation de cette transmission par une
> autre personne est strictement prohibée. Si vous avez reçu ce courriel
> par erreur, veuillez s'il vous plaît en aviser immédiatement
> l'expéditeur par courriel et détruire tout exemplaire ou copie de la
> transmission originale.
>
--

Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem

Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032 (0)16 29 80 45

lieven.vcf (300 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

Markus Moeller
In reply to this post by lieven-2
Hi Lieven,

 The problem seems to be the krb5kdc_err_s_principal_unknown error. If you
took the capture earlier shoudl have seen a TGS REQ in wireshark for
HTTP/squid3-proxy.domain.local and AD says it does not anything about this
principal.  Can you search AD if you have an entry with
serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc for
example ?

If you would have got a successful reply it would be a TGS REP and kerbtray
would show
 DOMAIN.LOCAL
 |_ cifs/adserver1.domain.local
 |_ krbtgt/DOMAIN.LOCAL
 |_ krbtgt/DOMAIN.LOCAL
 |_ LDAP/adserver1.domin.local/domain.local
 |_ ProtectedStorage/adserver1.domain.local
 |_ HTTP/asquid3-proxy.domain.local/domain.local


Regards
Markus

"lieven" <[hidden email]> wrote in message news:[hidden email]...

> Hello again,
>
> This time, I got access to a pc in the AD domain.
>
> When I monitor for both udp and tcp port 88, there is krb communication
> to be seen but it doesn't look right.
> From AD server to client I see the following error:
> krb5kdc_err_s_principal_unknown
>
> It looks like this: (only krb5 and some tcp lines)
> 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
> 2. client -> server: AS-REQ
> 3. server -> client: KRB Error: krb5kdc_err_preauth_required
> 4. client -> server: AS-REQ
> 5. server -> client: AS-REP
> 6. client -> server: AS-REQ
> 7. server -> client: KRB Error: krb5kdc_err_preauth_required
> ...{4-7} X7
>
> this sequence, starting from 3 is repeated a few times, as many times as
> I had to enter credentials in IE popup.
>
> Here is a detail from the error packet principal unknown:
> No.     Time        Source                Destination           Protocol
> Info
>       6 0.009940    X.X.X.X          X.X.X.X          KRB5     KRB
> Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>
> Frame 6 (179 bytes on wire, 179 bytes captured)
> Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
> Dell_48:f3:90 (00:24:e8:48:f3:90)
> Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
> Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
> (65248), Seq: 1, Ack: 1660, Len: 125
> Kerberos KRB-ERROR
>     Record Mark: 121 bytes
>     Pvno: 5
>     MSG Type: KRB-ERROR (30)
>     stime: 2010-05-11 10:44:11 (UTC)
>     susec: 313474
>     error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>     Realm: DOMAIN.LOCAL
>     Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
>         Name-type: Service and Instance (2)
>         Name: HTTP
>         Name: squid3-proxy.domain.local
>
> On this client pc, it is a windows vista, I have different kerberos
> tickets: (as per kerbtray)
>
> DOMAIN.LOCAL
> |_ cifs/adserver1.domain.local
> |_ krbtgt/DOMAIN.LOCAL
> |_ krbtgt/DOMAIN.LOCAL
> |_ LDAP/adserver1.domin.local/domain.local
> |_ ProtectedStorage/adserver1.domain.local
>
> The encryption types are for all tickets:
> Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type)
>
> The client principal is [hidden email]
>
>
> I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
> lookup of the requested site and then a reply from the adserver (also
> dns) with the ip of the site.
> I don't see any lookup of the proxy-server fqdn that is put as the
> connection proxy setting in the browser. (it is squid3-proxy.domain.local)
>
>
>
> Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
>
> 1) the client requests a webpage to the proxyserver on port 3128: "GET
> http://www.google.be/ HTTP/1.1" (http protocol)
> 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
> Requied (text/html)"
> 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
> NTLMSSP_NEGOTIATE"
>
> Between each point there is some tcp syn/ack/fin traffic which I can
> post if needed.
>
> The last 2 points are repeated a few times where the proxy requests
> authentication, expecting kerberos and the client responding with ntlm
> for some reason.
>
> In Firefox, It is the same as IE, proxy auth required followd by an
> ntlmssp_negotiate from the client.
>
>
>
> Why I don't get kerberos to work is a mistery to me as it seems to work
> in the domain itself when computers authenticate to get access to shares
> etc...
>
> Any clues welcome.
>
> thanks,
>
> Lieven
>
> --
>
> Please Visit us at V-ICT-OR shopt IT
> 25 May 2010 - De Montil - Affligem
>
> Lieven De Puysseleir
> BA N.V. - http://www.ba.be
> Dalemhof 28, 3000 Leuven
> tel: 0032 (0)16 29 80 45
>


Reply | Threaded
Open this post in threaded view
|

Re: squid_kerb_auth received type 1 NTLM token

Lieven-4
That seems to clarify my problems. thank you.

After the mkstutil, I saw that a new computer object had been made in
the AD.
In adsiedit, I opened this squid3-proxy computeraccount and checked it's
principalname service.
There was only "HTTP/domain.local" so I manually added
"HTTP/squid3-proxy.domain.local".
Then after I did a new webrequest via the proxyserver, I saw this
HTTP/squid3-proxy.domain.local service principal in kerbtray.
Only, it still pops up with a authentication request so I'm not yet there.

Anyway, tomorrow I'll have access to the local pc and a wireshark trace
will probably help me solve this further.

thanks for all the effort already.

cheers.
Lieven


Markus Moeller wrote:

> Hi Lieven,
>
> The problem seems to be the krb5kdc_err_s_principal_unknown error. If
> you took the capture earlier shoudl have seen a TGS REQ in wireshark
> for HTTP/squid3-proxy.domain.local and AD says it does not anything
> about this principal.  Can you search AD if you have an entry with
> serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc
> for example ?
>
> If you would have got a successful reply it would be a TGS REP and
> kerbtray would show
> DOMAIN.LOCAL
> |_ cifs/adserver1.domain.local
> |_ krbtgt/DOMAIN.LOCAL
> |_ krbtgt/DOMAIN.LOCAL
> |_ LDAP/adserver1.domin.local/domain.local
> |_ ProtectedStorage/adserver1.domain.local
> |_ HTTP/asquid3-proxy.domain.local/domain.local
>
>
> Regards
> Markus
>
> "lieven" <[hidden email]> wrote in message news:[hidden email]...
>> Hello again,
>>
>> This time, I got access to a pc in the AD domain.
>>
>> When I monitor for both udp and tcp port 88, there is krb communication
>> to be seen but it doesn't look right.
>> From AD server to client I see the following error:
>> krb5kdc_err_s_principal_unknown
>>
>> It looks like this: (only krb5 and some tcp lines)
>> 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
>> 2. client -> server: AS-REQ
>> 3. server -> client: KRB Error: krb5kdc_err_preauth_required
>> 4. client -> server: AS-REQ
>> 5. server -> client: AS-REP
>> 6. client -> server: AS-REQ
>> 7. server -> client: KRB Error: krb5kdc_err_preauth_required
>> ...{4-7} X7
>>
>> this sequence, starting from 3 is repeated a few times, as many times as
>> I had to enter credentials in IE popup.
>>
>> Here is a detail from the error packet principal unknown:
>> No.     Time        Source                Destination           Protocol
>> Info
>>       6 0.009940    X.X.X.X          X.X.X.X          KRB5     KRB
>> Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>>
>> Frame 6 (179 bytes on wire, 179 bytes captured)
>> Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
>> Dell_48:f3:90 (00:24:e8:48:f3:90)
>> Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
>> Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
>> (65248), Seq: 1, Ack: 1660, Len: 125
>> Kerberos KRB-ERROR
>>     Record Mark: 121 bytes
>>     Pvno: 5
>>     MSG Type: KRB-ERROR (30)
>>     stime: 2010-05-11 10:44:11 (UTC)
>>     susec: 313474
>>     error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>>     Realm: DOMAIN.LOCAL
>>     Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
>>         Name-type: Service and Instance (2)
>>         Name: HTTP
>>         Name: squid3-proxy.domain.local
>>
>> On this client pc, it is a windows vista, I have different kerberos
>> tickets: (as per kerbtray)
>>
>> DOMAIN.LOCAL
>> |_ cifs/adserver1.domain.local
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ LDAP/adserver1.domin.local/domain.local
>> |_ ProtectedStorage/adserver1.domain.local
>>
>> The encryption types are for all tickets:
>> Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
>> type)
>>
>> The client principal is [hidden email]
>>
>>
>> I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
>> lookup of the requested site and then a reply from the adserver (also
>> dns) with the ip of the site.
>> I don't see any lookup of the proxy-server fqdn that is put as the
>> connection proxy setting in the browser. (it is
>> squid3-proxy.domain.local)
>>
>>
>>
>> Next, I tried to follow the requests on port 3128 tcp to the
>> proxyserver:
>>
>> 1) the client requests a webpage to the proxyserver on port 3128: "GET
>> http://www.google.be/ HTTP/1.1" (http protocol)
>> 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
>> Requied (text/html)"
>> 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
>> NTLMSSP_NEGOTIATE"
>>
>> Between each point there is some tcp syn/ack/fin traffic which I can
>> post if needed.
>>
>> The last 2 points are repeated a few times where the proxy requests
>> authentication, expecting kerberos and the client responding with ntlm
>> for some reason.
>>
>> In Firefox, It is the same as IE, proxy auth required followd by an
>> ntlmssp_negotiate from the client.
>>
>>
>>
>> Why I don't get kerberos to work is a mistery to me as it seems to work
>> in the domain itself when computers authenticate to get access to shares
>> etc...
>>
>> Any clues welcome.
>>
>> thanks,
>>
>> Lieven
>>
>> --
>>
>> Please Visit us at V-ICT-OR shopt IT
>> 25 May 2010 - De Montil - Affligem
>>
>> Lieven De Puysseleir
>> BA N.V. - http://www.ba.be
>> Dalemhof 28, 3000 Leuven
>> tel: 0032 (0)16 29 80 45
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Re: squid_kerb_auth received type 1 NTLM token

Markus Moeller
Changing the name may not be enough. Delete the AD entry and the keytab and
create a new entry with keytab.

Regards
Markus

"Lieven" <[hidden email]> wrote in message
news:[hidden email]...

> That seems to clarify my problems. thank you.
>
> After the mkstutil, I saw that a new computer object had been made in the
> AD.
> In adsiedit, I opened this squid3-proxy computeraccount and checked it's
> principalname service.
> There was only "HTTP/domain.local" so I manually added
> "HTTP/squid3-proxy.domain.local".
> Then after I did a new webrequest via the proxyserver, I saw this
> HTTP/squid3-proxy.domain.local service principal in kerbtray.
> Only, it still pops up with a authentication request so I'm not yet there.
>
> Anyway, tomorrow I'll have access to the local pc and a wireshark trace
> will probably help me solve this further.
>
> thanks for all the effort already.
>
> cheers.
> Lieven
>
>
> Markus Moeller wrote:
>> Hi Lieven,
>>
>> The problem seems to be the krb5kdc_err_s_principal_unknown error. If you
>> took the capture earlier shoudl have seen a TGS REQ in wireshark for
>> HTTP/squid3-proxy.domain.local and AD says it does not anything about
>> this principal.  Can you search AD if you have an entry with
>> serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc
>> for example ?
>>
>> If you would have got a successful reply it would be a TGS REP and
>> kerbtray would show
>> DOMAIN.LOCAL
>> |_ cifs/adserver1.domain.local
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ LDAP/adserver1.domin.local/domain.local
>> |_ ProtectedStorage/adserver1.domain.local
>> |_ HTTP/asquid3-proxy.domain.local/domain.local
>>
>>
>> Regards
>> Markus
>>
>> "lieven" <[hidden email]> wrote in message news:[hidden email]...
>>> Hello again,
>>>
>>> This time, I got access to a pc in the AD domain.
>>>
>>> When I monitor for both udp and tcp port 88, there is krb communication
>>> to be seen but it doesn't look right.
>>> From AD server to client I see the following error:
>>> krb5kdc_err_s_principal_unknown
>>>
>>> It looks like this: (only krb5 and some tcp lines)
>>> 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
>>> 2. client -> server: AS-REQ
>>> 3. server -> client: KRB Error: krb5kdc_err_preauth_required
>>> 4. client -> server: AS-REQ
>>> 5. server -> client: AS-REP
>>> 6. client -> server: AS-REQ
>>> 7. server -> client: KRB Error: krb5kdc_err_preauth_required
>>> ...{4-7} X7
>>>
>>> this sequence, starting from 3 is repeated a few times, as many times as
>>> I had to enter credentials in IE popup.
>>>
>>> Here is a detail from the error packet principal unknown:
>>> No.     Time        Source                Destination           Protocol
>>> Info
>>>       6 0.009940    X.X.X.X          X.X.X.X          KRB5     KRB
>>> Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>>>
>>> Frame 6 (179 bytes on wire, 179 bytes captured)
>>> Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
>>> Dell_48:f3:90 (00:24:e8:48:f3:90)
>>> Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
>>> Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
>>> (65248), Seq: 1, Ack: 1660, Len: 125
>>> Kerberos KRB-ERROR
>>>     Record Mark: 121 bytes
>>>     Pvno: 5
>>>     MSG Type: KRB-ERROR (30)
>>>     stime: 2010-05-11 10:44:11 (UTC)
>>>     susec: 313474
>>>     error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>>>     Realm: DOMAIN.LOCAL
>>>     Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
>>>         Name-type: Service and Instance (2)
>>>         Name: HTTP
>>>         Name: squid3-proxy.domain.local
>>>
>>> On this client pc, it is a windows vista, I have different kerberos
>>> tickets: (as per kerbtray)
>>>
>>> DOMAIN.LOCAL
>>> |_ cifs/adserver1.domain.local
>>> |_ krbtgt/DOMAIN.LOCAL
>>> |_ krbtgt/DOMAIN.LOCAL
>>> |_ LDAP/adserver1.domin.local/domain.local
>>> |_ ProtectedStorage/adserver1.domain.local
>>>
>>> The encryption types are for all tickets:
>>> Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
>>> type)
>>>
>>> The client principal is [hidden email]
>>>
>>>
>>> I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
>>> lookup of the requested site and then a reply from the adserver (also
>>> dns) with the ip of the site.
>>> I don't see any lookup of the proxy-server fqdn that is put as the
>>> connection proxy setting in the browser. (it is
>>> squid3-proxy.domain.local)
>>>
>>>
>>>
>>> Next, I tried to follow the requests on port 3128 tcp to the
>>> proxyserver:
>>>
>>> 1) the client requests a webpage to the proxyserver on port 3128: "GET
>>> http://www.google.be/ HTTP/1.1" (http protocol)
>>> 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
>>> Requied (text/html)"
>>> 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
>>> NTLMSSP_NEGOTIATE"
>>>
>>> Between each point there is some tcp syn/ack/fin traffic which I can
>>> post if needed.
>>>
>>> The last 2 points are repeated a few times where the proxy requests
>>> authentication, expecting kerberos and the client responding with ntlm
>>> for some reason.
>>>
>>> In Firefox, It is the same as IE, proxy auth required followd by an
>>> ntlmssp_negotiate from the client.
>>>
>>>
>>>
>>> Why I don't get kerberos to work is a mistery to me as it seems to work
>>> in the domain itself when computers authenticate to get access to shares
>>> etc...
>>>
>>> Any clues welcome.
>>>
>>> thanks,
>>>
>>> Lieven
>>>
>>> --
>>>
>>> Please Visit us at V-ICT-OR shopt IT
>>> 25 May 2010 - De Montil - Affligem
>>>
>>> Lieven De Puysseleir
>>> BA N.V. - http://www.ba.be
>>> Dalemhof 28, 3000 Leuven
>>> tel: 0032 (0)16 29 80 45
>>>
>>
>>
>


Reply | Threaded
Open this post in threaded view
|

Re: Re: squid_kerb_auth received type 1 NTLM token

Lieven-4
Dear Markus,

You have to be recommended for your patience!!
Turns out that my keytab file was wrong all along due to a stupid
mistake from my side. (as to be expected :-/)
I did have the principal for the realm but not for the proxy server
itself. Thus the HTTP-keytab was recreated with the msktutil, this time
with correct principal information.
Now it works fine, I can see the clients authenticating in the cache.log

bottomline: my bad knowledge about kerberos made me look for the wrong
reasons.

thank you very much for your help.

Cheers !

Lieven

Markus Moeller wrote:

> Changing the name may not be enough. Delete the AD entry and the keytab
> and create a new entry with keytab.
>
> Regards
> Markus
>
> "Lieven" <[hidden email]> wrote in message
> news:[hidden email]...
>> That seems to clarify my problems. thank you.
>>
>> After the mkstutil, I saw that a new computer object had been made in
>> the AD.
>> In adsiedit, I opened this squid3-proxy computeraccount and checked
>> it's principalname service.
>> There was only "HTTP/domain.local" so I manually added
>> "HTTP/squid3-proxy.domain.local".
>> Then after I did a new webrequest via the proxyserver, I saw this
>> HTTP/squid3-proxy.domain.local service principal in kerbtray.
>> Only, it still pops up with a authentication request so I'm not yet
>> there.
>>
>> Anyway, tomorrow I'll have access to the local pc and a wireshark
>> trace will probably help me solve this further.
>>
>> thanks for all the effort already.
>>
>> cheers.
>> Lieven
>>
>>
>> Markus Moeller wrote:
>>> Hi Lieven,
>>>
>>> The problem seems to be the krb5kdc_err_s_principal_unknown error. If
>>> you took the capture earlier shoudl have seen a TGS REQ in wireshark
>>> for HTTP/squid3-proxy.domain.local and AD says it does not anything
>>> about this principal.  Can you search AD if you have an entry with
>>> serviceprincipalname=HTTP/squid3-proxy.domain.local using
>>> adsiedit.msc for example ?
>>>
>>> If you would have got a successful reply it would be a TGS REP and
>>> kerbtray would show
>>> DOMAIN.LOCAL
>>> |_ cifs/adserver1.domain.local
>>> |_ krbtgt/DOMAIN.LOCAL
>>> |_ krbtgt/DOMAIN.LOCAL
>>> |_ LDAP/adserver1.domin.local/domain.local
>>> |_ ProtectedStorage/adserver1.domain.local
>>> |_ HTTP/asquid3-proxy.domain.local/domain.local
>>>
>>>
>>> Regards
>>> Markus
>>>
>>> "lieven" <[hidden email]> wrote in message news:[hidden email]...
>>>> Hello again,
>>>>
>>>> This time, I got access to a pc in the AD domain.
>>>>
>>>> When I monitor for both udp and tcp port 88, there is krb communication
>>>> to be seen but it doesn't look right.
>>>> From AD server to client I see the following error:
>>>> krb5kdc_err_s_principal_unknown
>>>>
>>>> It looks like this: (only krb5 and some tcp lines)
>>>> 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
>>>> 2. client -> server: AS-REQ
>>>> 3. server -> client: KRB Error: krb5kdc_err_preauth_required
>>>> 4. client -> server: AS-REQ
>>>> 5. server -> client: AS-REP
>>>> 6. client -> server: AS-REQ
>>>> 7. server -> client: KRB Error: krb5kdc_err_preauth_required
>>>> ...{4-7} X7
>>>>
>>>> this sequence, starting from 3 is repeated a few times, as many
>>>> times as
>>>> I had to enter credentials in IE popup.
>>>>
>>>> Here is a detail from the error packet principal unknown:
>>>> No.     Time        Source                Destination          
>>>> Protocol
>>>> Info
>>>>       6 0.009940    X.X.X.X          X.X.X.X          KRB5     KRB
>>>> Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>>>>
>>>> Frame 6 (179 bytes on wire, 179 bytes captured)
>>>> Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
>>>> Dell_48:f3:90 (00:24:e8:48:f3:90)
>>>> Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
>>>> Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
>>>> (65248), Seq: 1, Ack: 1660, Len: 125
>>>> Kerberos KRB-ERROR
>>>>     Record Mark: 121 bytes
>>>>     Pvno: 5
>>>>     MSG Type: KRB-ERROR (30)
>>>>     stime: 2010-05-11 10:44:11 (UTC)
>>>>     susec: 313474
>>>>     error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>>>>     Realm: DOMAIN.LOCAL
>>>>     Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
>>>>         Name-type: Service and Instance (2)
>>>>         Name: HTTP
>>>>         Name: squid3-proxy.domain.local
>>>>
>>>> On this client pc, it is a windows vista, I have different kerberos
>>>> tickets: (as per kerbtray)
>>>>
>>>> DOMAIN.LOCAL
>>>> |_ cifs/adserver1.domain.local
>>>> |_ krbtgt/DOMAIN.LOCAL
>>>> |_ krbtgt/DOMAIN.LOCAL
>>>> |_ LDAP/adserver1.domin.local/domain.local
>>>> |_ ProtectedStorage/adserver1.domain.local
>>>>
>>>> The encryption types are for all tickets:
>>>> Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
>>>> type)
>>>>
>>>> The client principal is [hidden email]
>>>>
>>>>
>>>> I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
>>>> lookup of the requested site and then a reply from the adserver (also
>>>> dns) with the ip of the site.
>>>> I don't see any lookup of the proxy-server fqdn that is put as the
>>>> connection proxy setting in the browser. (it is
>>>> squid3-proxy.domain.local)
>>>>
>>>>
>>>>
>>>> Next, I tried to follow the requests on port 3128 tcp to the
>>>> proxyserver:
>>>>
>>>> 1) the client requests a webpage to the proxyserver on port 3128: "GET
>>>> http://www.google.be/ HTTP/1.1" (http protocol)
>>>> 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
>>>> Requied (text/html)"
>>>> 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
>>>> NTLMSSP_NEGOTIATE"
>>>>
>>>> Between each point there is some tcp syn/ack/fin traffic which I can
>>>> post if needed.
>>>>
>>>> The last 2 points are repeated a few times where the proxy requests
>>>> authentication, expecting kerberos and the client responding with ntlm
>>>> for some reason.
>>>>
>>>> In Firefox, It is the same as IE, proxy auth required followd by an
>>>> ntlmssp_negotiate from the client.
>>>>
>>>>
>>>>
>>>> Why I don't get kerberos to work is a mistery to me as it seems to work
>>>> in the domain itself when computers authenticate to get access to
>>>> shares
>>>> etc...
>>>>
>>>> Any clues welcome.
>>>>
>>>> thanks,
>>>>
>>>> Lieven
>>>>
>>>> --
>>>>
>>>> Please Visit us at V-ICT-OR shopt IT
>>>> 25 May 2010 - De Montil - Affligem
>>>>
>>>> Lieven De Puysseleir
>>>> BA N.V. - http://www.ba.be
>>>> Dalemhof 28, 3000 Leuven
>>>> tel: 0032 (0)16 29 80 45
>>>>
>>>
>>>
>>
>
>