[squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

From: Paul Freeman <paul.freeman_at_eml.com.au>
Date: Tue, 26 Oct 2010 13:56:55 +1100

Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled
Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup is
working well and successfully authenticates Windows domain users when they
are logged in using their domain credentials on Windows XP workstations using
Internet Explorer (v6,7 and 8) and Firefox.

Squid is configured with two helpers, the first, squid_kerb_auth and the
second, the Samba ntlm helper.

However, today I came across a problem when using Internet Explorer 8 on a
server running Windows Server 2008 R2. The IE8 enhanced security mode is
disabled and the logged in user is a standard domain user. The Windows
server is joined to the domain and is not a domain controller. The Windows
server is up to date with Microsoft patches and updates.

Authentication is failing for some reason. Instead of authenticating
silently, the user is prompted for a username and password 6 times before
receiving the Cache Access Denied message.

If I disable the squid_kerb_auth helper in squid.conf and restart squid,
leaving only the Samba NTLM helper, authentication works successfully.

In cache.log I find:
squid_kerb_auth: DEBUG: Got 'YR YII...
squid_kerb_auth: DEBUG: Decode 'YII...
squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information.
squid_kerb_auth: INFO: User not authenticated
authenticateNegotiateHandleReply: Error validating user via Negotiate. Error
returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure.
Minor code may provide more information. '

Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to
the 64-bit version of IE8 or some unusual interaction between the IE8 version
shipped with Windows Server 2008 R2 and the squid_kerb_auth module?

I have a Wireshark capture of the traffic between the browser session on
Windows Server 2008 R2 and the proxy server during authentication and would
like to assist with investigating the problem further if someone can provide
some advice as to where to look.

Regards

Paul
Received on Tue Oct 26 2010 - 02:56:48 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 28 2010 - 12:00:04 MDT