Markus
In our current setup, no WINS server is being provided to workstations
obtaining an IP address via DHCP.
I am finding that Firefox is actually failing at step 3. It is not prompting
for a username and password. Unlike IE which is.
Thanks
Paul
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Thursday, 9 September 2010 6:01 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Re: Squid 3.0 STABLE 19 and SPNEGO with
> Windows Firefox 3.6.3
>
>
> Hi Paul,
>
> Does your environment provide WINS server details via DHCP to the
> desktops
> ? I think in theory it should work as follows:
>
> 1) User connects to proxy which requests negotiate
> 2) The browser does not have any tickets and has not joined a domain
> to
> use NTLM so prompts the user
> 3) The user provides user_at_DOMAIN and password
> 4) Desktop tries to find Kerberos kdc locally using NetBIOS or with
> WINS
> 5) Desktop will send AS-REQ to kdc
> 6) Desktop will send TGS-REQ to kdc
> 7) Browser will send token to squid.
>
> This would mean that Firefox does have a problem at step 4) and
> creates
> an NTLM token for DESKTOP\User
>
> Markus
>
> "Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> news:19672EECFB9AE340833C84F3E90B595604014268_at_mel-ex-01.eml.local...
> Markus
> I will try and answer your questions in-line below. Please let me know
> if
> there is any other information or testing you would like me to do.
>
> I appreciate your assistance.
>
> Regards
>
> Paul
>
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> > Sent: Wednesday, 8 September 2010 4:54 AM
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] Re: Squid 3.0 STABLE 19 and SPNEGO with
> Windows
> > Firefox 3.6.3
> >
> > Hi Paul,
> >
> > >"Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> > >news:19672EECFB9AE340833C84F3E90B595604014244_at_mel-ex-01.eml.local...
> > >Hi
> > >I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
> > >(non-transparent) proxy server for a number of Windows workstations
> in
> > an
> > >Active Directory environment using W2K8R2 domain controller servers
> > running
> > >in W2K3 functional mode.
> > >
> > >I have implemented suthenitcation in Squid using the squid_kerb_auth
> > module
> > >from Markus Moeller. Authentication is working fine for users
> logging
> > in
> > >using domain credentials on domain registered workstations using
> both
> > IE7
> > >and
> > >8 on Windows XP and Firefox 3.6.3.
> > >
> > >However, I would like to allow the occasional non-domain user to
> have
> > >internet access via Squid and so it would be helpful for a login
> > dialog box
> > >to be presented. When IE 7 and 8 are used, this occurs and
> > authentication
> > >is
> > >successful. However, with Firefox it does not and an error is
> > returned by
> > >Squid - Access Denied.
> > >
> > >Looking at some packet dumps between the Windows workstation and
> Squid
> > >shows
> > >that Firefox tries a few times to auth then gives up. Enabling
> > logging in
> > >Firefox reveals Firefox responds similarly to IE with a GET request
> > with a
> > >Proxy-Authorization: Negotiate ..... header. In the Squid cache log
> > it
> > >indicates:
> > >
> > >squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
> > >squid_kerb_auth: received type 1 NTLM token
> > >
> > >However, unlike IE, it then gives up whereas IE then initiates a
> KRB5
> > >AS-REQ
> > >to a domain controller then gets a ticket and then contacts Squid
> > again at
> > >which point it authenticates.
> > >
> >
> > I would like to know some more details here. Do you also see a KRB5
> > AS-REQ
> > at any time before ? Can you use kerbtray from MS and list Kerberos
> > tickets
> > for the non domain user ?
> >
>
> I have watched the traffic from prior to launching Firefox to the end
> of the
> Firefox session. I have not seen any Kerberos related traffic from the
> Windows client.
>
> I have the MS Kerberos tools installed and kerbtray does not show any
> tickets
> - Client Principal field says "No network credentials".
>
> Strangely (maybe not???), there are also no tickets shown even while
> successfully using IE as a non-domain user.
>
> >
> > >In the Firefox log, just before the GET request, it shows:
> > >
> > >service = fqdn.of.squid.proxy
> > >using negotiate-sspi
> > >using SPN of [HTTP/fqdn.of.squid.proxy]]
> > >AcquireCredentailsHandle() succeeded
> > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2()
> [challenge=Negotiate]
> > >entering nsAuthSSPI::GetNextToken()
> > >InitializeSecurityContext: continue
> > >Sending a token of length 40
> > >
> > >Then after sending the GET request and receiving the Squid 407
> > response it
> > >shows:
> > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2()
> [challenge=Negotiate]
> > >entering nsAuthSSPI::GetNextToken()
> > >Cannot restart authentication sequence!
> > >
> >
> > Does Firefox work after you used IE ? e.g. does IE cache credentials
> > which
> > can be used by Firefox ?
> >
>
> Firefox does not work after using IE or even while IE is still running
> as a
> non-domain user.
>
> > Do you see any Kerberos traffic ? Do you see DNS SRV requests to
> > determine
> > the kdc ?
> >
>
> I have not seen any Kerberos related traffic or DNS SRV requests on the
> client when Firefox is running.
>
> >
> > >Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close
> > response in
> > >response to its HTTP1.1 Proxy-Connection: keep-alive GET request?
> > >
> > >I am puzzled as to whether Squid, Firefox or IE is behaving as one
> > would
> > >expect given the scenario?
> > >
> > >Does anyone have any ideas?
> > >
> > >If Squid and Firefox are behaving correctly but IE is doing a
> > workaround
> > >then
> > >that is OK and I will need to live with the situation.
> > >
> > >I am happy to perform additional debug work to investigate the
> problem
> > >further.
> > >
> > >I have tried various settings in the Firefox about:config -
> > >network.negotiate-auth.trusted-uris configuration item, and other
> > similar
> > >related settings mentioned in other posts but without success.
> > >
> > >Reading some Mozilla Dev postings over the last 12 months or so
> > indicate
> > >there have been some issues with NTLM and Kerberos in various
> versions
> > of
> > >Firefox but I think these have been addressed.
> > >
> > >Thanks in advance
> > >
> > >Paul Freeman
> > >
> > >
> > >__________ Information from ESET Smart Security, version of virus
> > signature
> > >database 5429 (20100906) __________
> > >
> > >The message was checked by ESET Smart Security.
> > >
> > >http://www.eset.com
> > >
> >
> > Markus
> >
> >
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature database 5429 (20100906) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 5429 (20100906) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 5435 (20100908) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
__________ Information from ESET Smart Security, version of virus signature
database 5435 (20100908) __________
The message was checked by ESET Smart Security.
http://www.eset.com
Received on Wed Sep 08 2010 - 21:18:34 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 10 2010 - 12:00:04 MDT