Hi Paul,
Does your environment provide WINS server details via DHCP to the desktops
? I think in theory it should work as follows:
1) User connects to proxy which requests negotiate
2) The browser does not have any tickets and has not joined a domain to
use NTLM so prompts the user
3) The user provides user_at_DOMAIN and password
4) Desktop tries to find Kerberos kdc locally using NetBIOS or with WINS
5) Desktop will send AS-REQ to kdc
6) Desktop will send TGS-REQ to kdc
7) Browser will send token to squid.
This would mean that Firefox does have a problem at step 4) and creates
an NTLM token for DESKTOP\User
Markus
"Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
news:19672EECFB9AE340833C84F3E90B595604014268_at_mel-ex-01.eml.local...
Markus
I will try and answer your questions in-line below. Please let me know if
there is any other information or testing you would like me to do.
I appreciate your assistance.
Regards
Paul
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Wednesday, 8 September 2010 4:54 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Squid 3.0 STABLE 19 and SPNEGO with Windows
> Firefox 3.6.3
>
> Hi Paul,
>
> >"Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> >news:19672EECFB9AE340833C84F3E90B595604014244_at_mel-ex-01.eml.local...
> >Hi
> >I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
> >(non-transparent) proxy server for a number of Windows workstations in
> an
> >Active Directory environment using W2K8R2 domain controller servers
> running
> >in W2K3 functional mode.
> >
> >I have implemented suthenitcation in Squid using the squid_kerb_auth
> module
> >from Markus Moeller. Authentication is working fine for users logging
> in
> >using domain credentials on domain registered workstations using both
> IE7
> >and
> >8 on Windows XP and Firefox 3.6.3.
> >
> >However, I would like to allow the occasional non-domain user to have
> >internet access via Squid and so it would be helpful for a login
> dialog box
> >to be presented. When IE 7 and 8 are used, this occurs and
> authentication
> >is
> >successful. However, with Firefox it does not and an error is
> returned by
> >Squid - Access Denied.
> >
> >Looking at some packet dumps between the Windows workstation and Squid
> >shows
> >that Firefox tries a few times to auth then gives up. Enabling
> logging in
> >Firefox reveals Firefox responds similarly to IE with a GET request
> with a
> >Proxy-Authorization: Negotiate ..... header. In the Squid cache log
> it
> >indicates:
> >
> >squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
> >squid_kerb_auth: received type 1 NTLM token
> >
> >However, unlike IE, it then gives up whereas IE then initiates a KRB5
> >AS-REQ
> >to a domain controller then gets a ticket and then contacts Squid
> again at
> >which point it authenticates.
> >
>
> I would like to know some more details here. Do you also see a KRB5
> AS-REQ
> at any time before ? Can you use kerbtray from MS and list Kerberos
> tickets
> for the non domain user ?
>
I have watched the traffic from prior to launching Firefox to the end of the
Firefox session. I have not seen any Kerberos related traffic from the
Windows client.
I have the MS Kerberos tools installed and kerbtray does not show any
tickets
- Client Principal field says "No network credentials".
Strangely (maybe not???), there are also no tickets shown even while
successfully using IE as a non-domain user.
>
> >In the Firefox log, just before the GET request, it shows:
> >
> >service = fqdn.of.squid.proxy
> >using negotiate-sspi
> >using SPN of [HTTP/fqdn.of.squid.proxy]]
> >AcquireCredentailsHandle() succeeded
> >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
> >entering nsAuthSSPI::GetNextToken()
> >InitializeSecurityContext: continue
> >Sending a token of length 40
> >
> >Then after sending the GET request and receiving the Squid 407
> response it
> >shows:
> >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
> >entering nsAuthSSPI::GetNextToken()
> >Cannot restart authentication sequence!
> >
>
> Does Firefox work after you used IE ? e.g. does IE cache credentials
> which
> can be used by Firefox ?
>
Firefox does not work after using IE or even while IE is still running as a
non-domain user.
> Do you see any Kerberos traffic ? Do you see DNS SRV requests to
> determine
> the kdc ?
>
I have not seen any Kerberos related traffic or DNS SRV requests on the
client when Firefox is running.
>
> >Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close
> response in
> >response to its HTTP1.1 Proxy-Connection: keep-alive GET request?
> >
> >I am puzzled as to whether Squid, Firefox or IE is behaving as one
> would
> >expect given the scenario?
> >
> >Does anyone have any ideas?
> >
> >If Squid and Firefox are behaving correctly but IE is doing a
> workaround
> >then
> >that is OK and I will need to live with the situation.
> >
> >I am happy to perform additional debug work to investigate the problem
> >further.
> >
> >I have tried various settings in the Firefox about:config -
> >network.negotiate-auth.trusted-uris configuration item, and other
> similar
> >related settings mentioned in other posts but without success.
> >
> >Reading some Mozilla Dev postings over the last 12 months or so
> indicate
> >there have been some issues with NTLM and Kerberos in various versions
> of
> >Firefox but I think these have been addressed.
> >
> >Thanks in advance
> >
> >Paul Freeman
> >
> >
> >__________ Information from ESET Smart Security, version of virus
> signature
> >database 5429 (20100906) __________
> >
> >The message was checked by ESET Smart Security.
> >
> >http://www.eset.com
> >
>
> Markus
>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 5429 (20100906) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
__________ Information from ESET Smart Security, version of virus signature
database 5429 (20100906) __________
The message was checked by ESET Smart Security.
http://www.eset.com
Received on Wed Sep 08 2010 - 20:01:14 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 09 2010 - 12:00:02 MDT