Hi Amos
"Amos Jeffries" <squ...@treenet.co.nz> wrote in message
news:4ef3e3b6.4060...@treenet.co.nz...
On 23/12/2011 12:39 p.m., James Robertson wrote:
We have successfully deployed a squid3 proxy in a Windows AD domain
that authenticates users with the kerberos helper and uses LDAP
queries to allow access based on Security groups in AD. This works
perfectly for IE, FF and Chrome and no authentication pop-ups occur.
We realised that not all applications use this authentication and that
sometimes non-domain PC's might need internet access so LDAP was to be
used as a backup authentication method.
Please get this straight: LDAP is *not* an authentication method.
It is one of several interfaces to AD. There are several real
authentication methods which operate very differently and all use LDAP to
contact AD.
I tested using a non-domain user on a Win7 workstation and when
opening IE it prompts for a login as I had expected but I notice that
I have to input the username and password a second time before it will
allow access. I also notice when this happens that the second
authentication dialogue automatically adds the domain prefix, i.e.
DOMAIN\user and the password is already entered. Looking at the logs
it seems as though this second attempt is in fact the kerberos auth
not LDAP as I had initially thought, this is what's logged in
/var/cache/squid3/cache.log whilst this takes place (long lines have
been truncated).
Looking ahead I see you actually mean "Basic authentication" where you
have written "LDAP".
2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:25:13| squid_kerb_auth: WARNING: received type 1 NTLM token
This NTLM version 1 authentication being sent by IE (real name:
Negotiate/NTLM) instead of Kerberos (real name: Negotiate/Kerberos).
The type 1 refers to the NTLM message type not the NTLM version. So this can
be a valid start of an NTLMv2 exchange wrapped into SPNEGO and send with
Negotiate (as you say as Negotiate/NTLM).
So, what is actually happening is that IE is attempting to login with
NTLM. Squid helper is rejecting that old protocol, then IE is re-trying
with Negotiate/Kerberos like it should have to start with.
To avoid this upgrade IE to at least IE7 and check the machines
authentication security level is set to a minimum of NTLMv2, with working
kerberos tokens (current IE7 will try those first if they are okay).
(I'm sorry I can't be more specific and point at how-tos' but it has been
a very long time since I had to deal with the inner config details of
Windows. Hopefully someone else can provide that.)
Besides that we also have a problem with iTunes access. When iTunes
runs it prompts for authentication regardless of whether the user is
logged in to the domain or not and fails to authenticate regardless of
entering the login multiple times. The following is logged in
/var/log/squid3/cache.log.
2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:03:13| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:03:13| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
The squid.conf is listed below. Am I mistaken about the
authentication failing over to LDAP if kerberos fails - if so, is
there a way to make this work for computers/software that cannot do
kerberos besides white listing domains??
If updating IE and the system security level config to NTLMv2+ does not
fix this you can use Marcus negotiate_wrapper helper and configure Squid
to accept both Negotiate/Kerberos and Negotiate/NTLM.
I'm also a bit unsure about my http_access lines, hence you will see
some commented out from some testing I am doing.
### /etc/squid3/squid.conf Configuration File #######
### cache manager
cache_mgr cachead...@example.com
### kerberos authentication
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s
HTTP/squidproxy.example.local
auth_param negotiate children 10
auth_param negotiate keep_alive on
### provide access via ldap for clients not authenticated via kerberos
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
-b "dc=example,dc=local" \
-D squid@example.local \
-W /etc/squid3/ldappass.txt \
-f sAMAccountName=%s \
-h domaincontroller.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
Here we have some confusion, which is why I stress being clear on LDAP.
You have *Basic* authentication over LDAP, and several external helper
group lookups over LDAP (no even autentication at all). Any one of which
might trigger a popup under the right conditions.
Your discovery that the second popup is Kerberos instead of NTLM is a good
sign that the negotiate_wrapper will work well for you.
The best is to configure Negotiate with the wrapper to cover Negotiate/NTLM
and Negotiate/Kerberos and NTLM as "pure" NTLM for applications/clients
which do not support Negotiate but NTLM ( like some chat tools).
Amos
Regards
Markus
