RE: [squid-users] Re: Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

From: Paul Freeman <paul.freeman_at_eml.com.au>
Date: Wed, 27 Oct 2010 08:24:52 +1100

Markus
Don't worry about asking too many questions - I am happy to answer.
Generally questions will lead to some sort of answer or at least a greater
understanding of the problem.

I just sent a reply to Nick's email and in that I mention the difference
between encryption types for Kerberos tickets on Win XP and Win 2008 R2. I
suspect this is the problem - in particular AES-256 encryption.

I have checked on the Windows 2008 R2 servers and cannot see the patch 951191
installed . Reading up on the Microsoft site about this patch, it seems it
only applies to Windows 2008 (32-bit and 64-bit) rather than Windows 2008 R2.

Unfortunately, I don't have a Win 7 workstation to try.

Regards

Paul
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Wednesday, 27 October 2010 7:38 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Re: Authentication using squid_kerb_auth
> with Internet Explorer 8 on Windows Server 2008 R2
>
> Hi Paul,
>
> Did you install http://support.microsoft.com/kb/951191 onto your 2008
> AD
> server (it did not work in my case without this patch) ?
>
> If it is not related to the above, do you know if your 2008 server
> tries to
> use AES encryption (check the exchange between your 2008 server and AD
> on
> port 88) ?
>
> Do you have any Windows 7 clients too ? Do they work ?
>
> Sorry for that many questions.
>
> Regards
> Markus
>
>
> "Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> news:19672EECFB9AE340833C84F3E90B5956043780EE_at_mel-ex-01.eml.local...
> Hi Markus
> My AD servers (I have 2) are both Windows 2008 R2. AD is running at
> the
> 2003
> functional level. The AD environment is the same one that is working
> OK
> with
> Squid and Kerberos authentication for Windows XP workstations running
> IE8.
>
> Regards
>
> Paul
>
>
>
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> > Sent: Wednesday, 27 October 2010 5:09 AM
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] Re: Authentication using squid_kerb_auth with
> > Internet Explorer 8 on Windows Server 2008 R2
> >
> > Hi Paul,
> >
> > Is your AD server 2003 or 2008 ?
> >
> > Markus
> >
> > "Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> > news:19672EECFB9AE340833C84F3E90B5956042A4932_at_mel-ex-01.eml.local...
> > Hi.
> > I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
> > enabled
> > Kerberos/NTLM authentication using the squid_kerb_auth helper. This
> > setup
> > is
> > working well and successfully authenticates Windows domain users when
> > they
> > are logged in using their domain credentials on Windows XP
> workstations
> > using
> > Internet Explorer (v6,7 and 8) and Firefox.
> >
> > Squid is configured with two helpers, the first, squid_kerb_auth and
> > the
> > second, the Samba ntlm helper.
> >
> > However, today I came across a problem when using Internet Explorer 8
> > on a
> > server running Windows Server 2008 R2. The IE8 enhanced security
> mode
> > is
> > disabled and the logged in user is a standard domain user. The
> Windows
> > server is joined to the domain and is not a domain controller. The
> > Windows
> > server is up to date with Microsoft patches and updates.
> >
> > Authentication is failing for some reason. Instead of authenticating
> > silently, the user is prompted for a username and password 6 times
> > before
> > receiving the Cache Access Denied message.
> >
> > If I disable the squid_kerb_auth helper in squid.conf and restart
> squid,
> > leaving only the Samba NTLM helper, authentication works successfully.
> >
> > In cache.log I find:
> > squid_kerb_auth: DEBUG: Got 'YR YII...
> > squid_kerb_auth: DEBUG: Decode 'YII...
> > squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> > GSS
> > failure. Minor code may provide more information.
> > squid_kerb_auth: INFO: User not authenticated
> > authenticateNegotiateHandleReply: Error validating user via Negotiate.
> > Error
> > returned 'BH gss_accept_sec_contect() failed: Unspecified GSS
> failure.
> > Minor code may provide more information. '
> >
> > Has anyone else found this with IE8 on Windows Server 2008 R2? Is it
> > due to
> > the 64-bit version of IE8 or some unusual interaction between the IE8
> > version
> > shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
> >
> > I have a Wireshark capture of the traffic between the browser session
> > on
> > Windows Server 2008 R2 and the proxy server during authentication and
> > would
> > like to assist with investigating the problem further if someone can
> > provide
> > some advice as to where to look.
> >
> > Regards
> >
> > Paul
> >
>
>
Received on Tue Oct 26 2010 - 21:24:40 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 27 2010 - 12:00:05 MDT