Hi Bilal,
Firstly there is a difference in supporting IWA for web authentication
and IWA for proxy authentication. If I remember right proxy authentication
with Negotiate is only available from IE 7 onwards.
Can you capture the traffic from your client on port 88 with wireshark
? You should see on a just started machine a TGS (=Ticket Granting Service)
request for HTTP/fqdn where fqdn is the proxy dns name. Before the TGS
request you may also see AS (Authentication Service) requests.
There is also a microsoft tool called kerbtray which can list and delete
tickets on the windows client and thereby force a new TGS request.
Regards
Markus
"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w179C7D9F5EE51C47C1E816B90E0_at_phx.gbl...
Markus,
Now what to do why this behaviour of the browser though i have confirmed
that windows integrated authentication is checked. IE version can do the
kerberos. DNS name as proxy is given. The only missing thing is DNS reverse
lookup settings on my Domaincontoller/dns. Checked on two clients. I have a
virtual environment made on VMware.
How to move forward from here.
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Fri, 16 Apr 2010 15:18:27 +0100
> Subject: [squid-users] Re: Re: Re: Creating a kerberos Service Principal.
>
> Hi Bilal,
>
> In your case the browser is returning a NTLM token not a Kerberos token
> whu
> squid_kerb_auth will deny access.
>
> Regards
> Markus
>
> "GIGO ." <gigoz_at_msn.com> wrote in message
> news:SNT134-w155DE8E05828B08D15C09AB90E0_at_phx.gbl...
>
> Dear Nick,
>
> This was the result of my klist -k command:
>
> [root_at_squidLhrTest log]# klist -k /etc/squid/HTTP.keytab
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 2 HTTP/vdc.v.com.pk_at_V.COM.PK
> 2 HTTP/vdc.v.com.pk_at_V.COM.PK
> 2 HTTP/vdc.v.com.pk_at_V.COM.PK
> ---------------------------------------
>
> i recreated the spn as follows in my new lab ( domaincontroller name is
> now
> vdc.v.local and proxyname is squidLhrTest)
> msktutil -c -b "CN=COMPUTERS" -s HTTP/vdc.v.local -h
> squidLhrTest.v.local -k
> /etc/squid/HTTP.keytab --computer-name squid-http --upn
> HTTP/squidLhrTest.v.local --server vdc.v.local --verbose
>
>
>
> However whenever a client try to access the internet this error appears:
>
> CacheHost: squidLhrTest
> ErrPage: ERR_CACHE_ACCESS_DENIED
> Err: [none]
> TimeStamp: Fri, 16 Apr 2010 10:43:51 GMT
> ClientIP: 10.1.82.54
> HTTP Request:
> GET /isapi/redir.dll?prd=ie&ar=hotmail HTTP/1.1
> Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
> application/x-shockwave-flash, */*
> Accept-Language: en-us
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
> Trident/4.0)
> Accept-Encoding: gzip, deflate
> Proxy-Connection: Keep-Alive
> Host: www.microsoft.com
> Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>
>
>
> thank you so much for you consideration Nick. yes despite doing lots of
> efforts not being able to get this thing to work and am frustated now.....
> however in the journey at least learnt many things :)
>
>
>
> regards,
>
> Bilal Aslam
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>> From: Nick.Cairncross_at_condenast.co.uk
>> To: gigoz_at_msn.com
>> Date: Fri, 16 Apr 2010 09:39:11 +0100
>> Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
>>
>> Bilal,
>>
>> I understand your frustration! First off: What happens when you klist -k
>> /etc/squid/HTTP.keytab
>> As I understand it, shouldn't you be specifying the spn as
>> HTTP/yoursquidproxy and not your DC? You want to be able to authenticate
>> from the squid proxy, using the HTTP service to the squid-http computer
>> account.
>>
>> Nick
>>
>>
>>
>>
>>
>> On 16/04/2010 08:43, "GIGO ." wrote:
>>
>>
>>
>> Dear Nick/Markus,
>>
>> I am totally lost in translation and am not sure what to do i need your
>> help please. The problem is that my kerberos authentication is not
>> working. In my virtual environment i have two machines one configured as
>> Domain Controller and the other one as SquidProxy. I am trying to use the
>> internet from my domain controller( internet explorer 7 & DNS name is
>> given instead of the ip). However it only popup a authentication window
>> and never works like it should.
>>
>>
>>
>>
>> I have setup the squid authentication as follows:
>>
>>
>> Steps:
>>
>> I copied the squid_kerb_auth files to correct directory. (SELinux is
>> enabled)
>>
>> cp -r squid_kerb_auth /usr/libexec/squid/
>>
>> I then Installed the msktutil software
>>
>> step No 1: i changed my krb5.conf file as follows;
>>
>> ------------------------krb5.conf-----------------------------------------------------------------------------
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = V.COM.PK
>> dns_lookup_realm = no
>> dns_lookup_kdc = no
>> ticket_lifetime = 24h
>> forwardable = yes
>> default_keytab_name= /etc/krb5.keytab
>> ; for windows 2003
>> default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
>> [realms]
>> V.LOCAL = {
>> kdc = vdc.v.com.pk:88
>> admin_server = vdc.v.com.pk:749
>> default_domain = v.com.pk
>> }
>> [domain_realm]
>> .linux.home = V.COM.PK
>> .v.com.pk=V.COM.PK
>> v.local=V.COM.PK
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> Step 2: I verified the settings in resolv.conf & hosts file
>> ------------------etc/resolv.conf---------------------------------------
>> nameserver 10.1.82.51 (My domain conroller and DNS)
>>
>> ------------------------/etc/hosts
>> file----------------------------------------
>> 127.0.0.1 squidLhrTest localhost.localdomain localhost
>> 10.1.82.52 squidLhrTest.v.com.pk
>> ::1 localhost6.localdomain6 localhost6
>> -------------------------------------------------------------------------------
>>
>>
>> Step 3:
>> i created the keytab as follows:
>> kinit administrator_at_V.LOCAL
>>
>> msktutil -c -b "CN=COMPUTERS" -s HTTP/vdc.v.com.pk -h
>> squidLhrTest.v.com.pk -k /etc/squid/HTTP.keytab --computer-name
>> squid-http --upn HTTP/vdc.v.com.pk --server vdc.v.com.pk --verbose
>>
>> Out put of my command:
>>
>> [root_at_squidLhrTest msktutil-0.3.16]# msktutil -c -b "CN=COMPUTERS" -s
>> HTTP/vdc.v.com.pk -h squidLhrTest.v.com.pk -k
>> /etc/squid/HTTP.keytab --computer-name squid-http --upn
>> HTTP/vdc.v.com.pk --server vdc.v.com.pk --verbose
>> -- init_password: Wiping the computer password structure
>> -- finalize_exec: Determining user principal name
>> -- finalize_exec: User Principal Name is: HTTP/vdc.v.com.pk_at_V.COM.PK
>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>> /tmp/.mskt-9130krb5.conf
>> -- get_krb5_context: Creating Kerberos Context
>> -- try_machine_keytab: Using the local credential cache:
>> /tmp/.mskt-9130krb5_ccache
>> -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not
>> found
>> in Kerberos database)
>> -- try_machine_keytab: Unable to authenticate using the local keytab
>> -- try_ldap_connect: Connecting to LDAP server: vdc.v.com.pk
>> -- try_ldap_connect: Connecting to LDAP server: vdc.v.com.pk
>> SASL/GSSAPI authentication started
>> SASL username: Administrator_at_V.COM.PK
>> SASL SSF: 56
>> SASL installing layers
>> -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=com,dc=pk
>> -- get_short_hostname: Determined short hostname: squidLhrTest
>> -- finalize_exec: SAM Account Name is: squid-http$
>> Updating all entries for squidLhrTest.v.com.pk in the keytab
>> /etc/squid/HTTP.keytab
>> -- try_set_password: Attempting to reset computer's password
>> -- ldap_check_account: Checking that a computer account for squid-http$
>> exists
>> No computer account for squid-http found, creating a new one.
>> -- ldap_check_account_strings: Inspecting (and updating) computer account
>> attributes
>> -- get_user_principal: Obtaining Principal for the executing user
>> -- generate_new_password: Generating a new, random password for the
>> computer account
>> -- try_set_password: krb5_get_init_creds_keytab failed (No such file or
>> directory)
>> -- try_set_password: Attempting to reset computer's password
>> -- ldap_check_account: Checking that a computer account for squid-http$
>> exists
>> -- ldap_check_account: Checking computer account found
>> -- ldap_check_account_strings: Inspecting (and updating) computer account
>> attributes
>> -- get_user_principal: Obtaining Principal for the executing user
>> -- generate_new_password: Generating a new, random password for the
>> computer account
>> -- ldap_get_pwdLastSet: pwdLastSet is 0
>> -- ldap_get_pwdLastSet: pwdLastSet is 129158200838811250
>> -- try_set_password: Successfully reset computer's password
>> -- update_keytab: Updating all entires for squidLhrTest
>> -- ldap_list_principals: Listing principals for LDAP entry
>> -- ldap_list_principals: Found Principal: HTTP/vdc.v.com.pk
>> -- ldap_add_principal: Checking that adding principal HTTP/vdc.v.com.pk
>> to
>> squidLhrTest won't cause a conflict
>> -- ldap_add_principal: Adding principal HTTP/vdc.v.com.pk to LDAP entry
>> -- add_principal: Adding principal to keytab: HTTP/vdc.v.com.pk
>> -- ldap_get_kvno: KVNO is 2
>> -- ldap_get_des_bit: Determined DES-only flag is 0
>> -- add_principal: Using salt of V.COM.PKhostsquid-http.v.com.pk
>> -- add_principal: Adding entry of enctype 0x1
>> -- add_principal: Using salt of V.COM.PKhostsquid-http.v.com.pk
>> -- add_principal: Adding entry of enctype 0x3
>> -- add_principal: Using salt of V.COM.PKHTTPvdc.v.com.pk
>> -- add_principal: Adding entry of enctype 0x17
>> -- krb5_cleanup: Destroying Kerberos Context
>> -- ldap_cleanup: Disconnecting from LDAP server
>> -- init_password: Wiping the computer password structure
>> [root_at_squidLhrTest msktutil-0.3.16]#
>>
>>
>>
>>
>>
>> I assigned the proper permissions to the keytab file that i have created.
>> chown proxy /etc/squid/HTTP.keytab
>> chmod 400 /etc/squid/HTTP.keytab
>>
>>
>> Step 4:
>> I changed my squid.conf to include the following lines
>>
>> My squid.conf files lines;;;;
>> ------------------------------------------squid.conf---------------------------------------------------------------------
>> auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> #http_access allow all
>> acl auth proxy_auth REQUIRED
>> http_access deny !auth
>> http_access allow auth
>> http_access deny all
>>
>>
>>
>>
>>
>>
>> i run this command from shell as well:
>>
>> KRB5_KTNAME=/etc/squid/HTTP.keytab
>> export KRB5_KTNAME
>> KRB5RCACHETYPE=none
>> export KRB5RCACHETYPE
>>
>> squid started with no errors at all however when i tried to use internet
>> from my DomainController itself. Only pop up windows with never being
>> able
>> to get through......
>> ------------------------------------------Access.log-------------------------------------------------------------------
>> 1271402564.794 0 10.1.82.51 TCP_DENIED/407 2352 GET
>> http://www.yahoo.com/ - NONE/- text/html
>> 1271402586.850 0 10.1.82.51 TCP_DENIED/407 2352 GET
>> http://www.yahoo.com/ - NONE/- text/html
>> 1271402601.448 0 10.1.82.51 TCP_DENIED/407 2352 GET
>> http://www.yahoo.com/ - NONE/- text/html
>> 1271402602.093 0 10.1.82.51 TCP_DENIED/407 2352 GET
>> http://www.yahoo.com/ - NONE/- text/html
>>
>>
>> Thanks for the support given earlier and advance.
>>
>> regards,
>>
>> Bilal Aslam
>>
>>
>> _________________________________________________________________
>> Hotmail: Powerful Free email with security by Microsoft.
>> https://signup.live.com/signup.aspx?id=60969
>>
>>
>> ** Please consider the environment before printing this e-mail **
>>
>> The information contained in this e-mail is of a confidential nature and
>> is intended only for the addressee. If you are not the intended
>> addressee,
>> any disclosure, copying or distribution by you is prohibited and may be
>> unlawful. Disclosure to any party other than the addressee, whether
>> inadvertent or otherwise, is not intended to waive privilege or
>> confidentiality. Internet communications are not secure and therefore
>> Conde Nast does not accept legal responsibility for the contents of this
>> message. Any views or opinions expressed are those of the author.
>>
>> Company Registration details:
>> The Conde Nast Publications Ltd
>> Vogue House
>> Hanover Square
>> London W1S 1JU
>>
>> Registered in London No. 226900
> _________________________________________________________________
> Hotmail: Trusted email with powerful SPAM protection.
> https://signup.live.com/signup.aspx?id=60969
>
>
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
Received on Sat Apr 17 2010 - 10:51:24 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 17 2010 - 12:00:05 MDT