Hello,
I'm trying to set up squid to auth against AD.
AD is on 2008 server (but functionality level of 2003).
Kerberos works fine, from linux machine (debian) kinit and klist and
kutil are all right. I also have created krb5.keytab and for my proxy
user I have:
ktutil: rkt /etc/krb5.keytab
On 20/01/11 01:12, Rafal Zawierta wrote:
Hello,
I'm trying to set up squid to auth against AD.
AD is on 2008 server (but functionality level of 2003).
Kerberos works fine, from linux machine (debian) kinit and klist and
kutil are all right. I also have created krb5.keytab and for my proxy
user
ons 2011-01-19 klockan 13:12 +0100 skrev Rafal Zawierta:
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH received type 1 NTLM token'
That the client selected to use NTLM, not Kerberos. The squid_kerb_auth
helper only supports Kerberos. To support NTLM
tor 2011-01-20 klockan 01:26 +1300 skrev Amos Jeffries:
As you can see the browser is sending an NTLM handshake instead of the
Kerberos token. The current Squid auth system does not support
Negotiate/NTLM only Negotiate/Kerberos but has no way to tell IE8 that.
Technically Squid do not care
Ok, I'll try to focus on client side.
Now I've installed XP SP3 with IE8 and FF3.6 and there is the same problem.
* Check that IE is configured to use Kerberos by reference.
How to check it?
In addition:
When I start IE on XP machine, with Wireshark I get:
KRB Error:
