Markus
After further investigation using gdb I have been able to determine the
problem is caused by a particular combination of encryption and checksum
types which seems to only occur (at this stage) in Windows 2008 R2 and
possibly Windows 7 although I have not confirmed this.
In my Windows 2008 R2 environment (including Active Directory, running in
Windows 2003 mode rather than Windows 2008), the keytab which I created for
squid using msktutil (with enctypes = 28) gave me keys encrypted with ArcFour
with HMAC/md5, AES-128 CTS mode with 96-bit SHA-1 HMAC and AES-256 CTS mode
with 96-bit SHA-1 HMAC.
The problem lies with the Kerberos libraries installed with Ubuntu 10.04 LTS
(1.8.1+dfsg-2ubuntu0.3). They return an error when working with AES-256 and
the checksum encryption type ArcFour with HMAC/md5. This has been reported
on the MIT Kerberos developers list
(http://mailmain.mit.edu/pipermail/krbdev/2010-July/009148.html) and assigned
ticket 6751. This has been resolved and included in the MIT Kerberos 1.8.3
release. However, it does not appear to have been backported to Ubuntu 10.04
LTS yet.
I compiled the MIT Kerberos 1.8.3 source and re-built squid_kerb_auth against
these libraries and the problem no longer occurs ie. A domain user logged
into a Windows 2008 R2 server can authenticate using Kerberos in IE8.
Kerberos authentication continues to work with IE8 and Firefox in Windows XP
for domain users.
I greatly appreciate the assistance of Markus Moeller in resolving this.
Without his guidance and suggestions it would have taken me a lot longer to
nail down the problem.
Hopefully this information will be of some use to others.
Regards
Paul
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Sunday, 31 October 2010 6:45 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Authentication using squid_kerb_auth with
> Internet Explorer 8 on Windows Server 2008 R2
>
> My tests show the same. RC4 works but AES 128/256 fail. It seems to
> be
> some incompatibility between MS and MIT/Heimdal Kerberos libraries
> introduces in R2
>
> Markus
>
> "DmitrySh" <sbros_v_at_inbox.lv> wrote in message
> news:1288361044027-3019158.post_at_n4.nabble.com...
> >
> > I solve the problem on Win7 (temporary)
> > I set RC4-HMAC type for kerberos transactions in Local Security
> Policy
> > http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx
> > Now both keys on client machine are in RC4-HMAC type (krbtgt and
> > HTTP/fqdn_of_proxy)
> > That's help in my case.
> > Sounds not so good if this be AES256, but i think it's before of
> mixed
> > mode
> > of AD (2003 and 2008).
> > Try to communicate with microsoft about this.
> > P.S. Sorry for my english :)
> >
> > Regards,
> > Dmitry
> > --
> > View this message in context:
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-
> using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-
> R2-tp3013070p3019158.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> >
>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 5586 (20101102) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
__________ Information from ESET Smart Security, version of virus signature
database 5589 (20101103) __________
The message was checked by ESET Smart Security.
http://www.eset.com
Received on Wed Nov 03 2010 - 21:50:39 MDT
This archive was generated by hypermail 2.2.0 : Thu Nov 04 2010 - 12:00:01 MDT