"Aleksandar Ciric" <aciric79_at_yahoo.com> wrote in message
news:353393.71638.qm_at_web114210.mail.gq1.yahoo.com...
> Hello,
>
> I have a Gentoo server with 3.1.6 Squid. I have setup Kerberos
> authentication with our AD server that works correctly when accessed from
> domain member computer.
> However when I access it from (fully updated) Windows XP computer that is
> not a member of a domain I get a prompt in IE8, I fill the prompt but have
> to acknowledge it 3 time in a row until I am granted access. Wireshark
> shows that IE8 successfully goes through AS-REQ/AS-REP TGS-REQ/TGS-REP on
> each prompt acknowledgement. It sends same ticket (according to version
> number) along with GET request but is let through only on 3rd attempt.
>
> Chrome behaves a bit differently, it goes through AS-REQ/AS-REP
> TGS-REQ/TGS-REP only once, but only upon hitting refresh 3rd time (on 3rd
> GET) it gets through (as with IE, it does send ticket on first 2 GETs
> too).
>
It looks like Chrome caches the credentials.
What does the log say ? Does IE/Chrome request the same page three times ?
Can you check what squid is returning to the client (e.g. is there an
Proxy-Authorization with a token returned )?
> Firefox does't even get to try it, it as other browsers tries NTLM on
> startup but gives up upon failure and doesn't switch to Kerberos, however
> it works fine when user is logged in with domain credentials.
>
> I have similar working test setup on Fedora 10, with 3.0.22 Squid and
> there is no such behavior noticed, so it cant be the clients fault. (same
> config setting both for Kerberos and Squid, same AD). It actually runs on
> my desktop machine while Gentoo one is VM on VmWare Infrastructure. Both
> machines are similar specs, VM one being even faster (3ghz XEON with 2GB
> RAM).
> I am puzzled as to what might be reason for this behavior, any help would
> be more than welcome?
>
What does squid return to the client in this case ? Also a
Proxy-Authorization with a token ?
> Cira
>
>
>
>
>
Received on Tue Sep 21 2010 - 19:13:58 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 22 2010 - 12:00:04 MDT