Squid Kerberos/LDAP Active Directory only works on IE not on Firefox and chrome
Are you not interested in troubleshooting if and why Kerberos wasnt used? I am not a squid guy but it looks like client failed to get a kerberos ticket to access squid.
You can use klist.exe on client to see if it indeed get a ticket for proxy. Perhaps IE does get kerberos ticket but firefox/chrome didn't?
Do a "klist purge" on client (or logoff/logon) before attempting to use IE (with proxy enabled). Check "klist tickets" after to see if you have a ticket for the proxy. If you take a simultaneous network trace you can see if it succeeded using that ticket to authenticate to proxy as we want to make sure squid decoded it. Else you can check squid logs to see if it reveals what auth the client used.
Repeat for firefox/chrome.
I would also bump up netlogon.log on DCs (nltest /dbflag:2080ffff) to see if they report receiving NTLM challenge/response from squid. Do you get password prompt when using IE (with proxy)? Because if you dont that implies Kerberos was used. As per http://blog.rafelo.com/2008/06/firefox-and-integrated-authentication.html it looks like there may be other settings in browser you may have failed to do firefox/chrome related? disclaimer: I haven't ever configured firefox/chrome to do windows integrated auth.
Related videos on Youtube
21 : 28
20 : 21
15 : 39
01 : 52
00 : 40
Sam
Updated on September 18, 2022Comments
-
Sam over 1 year
I've setup a proxy using squid, with kerberos/ldap as authentication. I used this article as reference: http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter
I tried using the proxy on IE and it works. But it won't work on Chrome and Firefox. (I'm not sure I it doesn't work on Chrome when in fact Chrome has the same network settings on IE). After I enter my account details on IE, it works but on Chrome and Firefox it's not accepting my username and password.
On firefox, Automatic proxy configuration URL is http: // wpad . example . com /wpad.dat (I just used spaces so that it's not recognized as a link)
network.negotiate-auth.trusted-uris is pointed to http: // example . com
Here's the logs on cache.log
2011/08/16 00:45:41| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40). 2011/08/16 00:45:41| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/08/16 00:45:41| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'Access.log
1313469925.993 0 10.101.204.82 TCP_DENIED/407 4163 GET (I removed the site)- NONE/- text/html 1313469941.280 0 10.101.204.82 TCP_DENIED/407 4163 GET (I removed the site) - NONE/- text/html-
ravi yarlagadda almost 13 yearsThat's an NTLM phase 1 negotiation. Are you absolutely sure that that's being generated by Chrome or Firefox? Seems more likely to be IE trying an authentication method that doesn't work before succeeding.
-
Sam almost 13 yearsYes, now I turned off the proxy on IE. Then tried it again on firefox(since chrome has the same setting on IE), same message appeared. After keying in my user and pass, nothing happens
-
-
Sam almost 13 years"Do you get password prompt when using IE (with proxy)?" Yes, so I guess that means kerberos wasn't used. Thanks for the reply, I'll look into this.
-
Sam almost 13 yearsI tried to do the klist purge then did logoff/logon, I then keyed in "klist tickets" and saw 5 tickets. "klist tgt" also shows servicename:krbtgt, my domainname, etc
-
Sam almost 13 yearsI'm sorry but I don't know what to look for in here. For the five tickets, these are Server: krbtgt/[email protected], krbtgt/[email protected], cifs/[email protected], ldap/[email protected], and LDAP/[email protected]. All has the same KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
-
Sam almost 13 yearsAlso, do I need to install mod_auth_kerb and modify apache? Because there's no procedure specified on my first reference unlike on this one 4js.com/online_documentation/fjs-gas-2.20.01-manual-html/User/…
-
maweeras almost 13 yearsI would have expected to see HTTP/proxyserver.myproxy.com assuming you registered this SPN. The IE version must be at least V7 for this to work. See how this would look if ISA were in use technet.microsoft.com/en-us/library/bb984870.aspx and blogs.technet.com/b/isablog/archive/2008/06/26/…. I'd expect similar behaviour if IE is configured to use squid using the FQDN of squid instead of ip address. Squid is not my skill sorry.
-
Sam over 12 yearsThanks for all your comments guys. I've made it work. What I did was to setup new servers all running on 32bits. And just after following the guide on the said howotforge article, it worked. My suspicion is that kerberos was failing the whole time on my previous setup.
