[squid-users] Squid negotation auth for Java webstart not working

Molecki, Christian (STL) Christian.Molecki at stala.bwl.de
Tue May 5 14:29:50 UTC 2020


Hello,
 
we are using Squid 3.5.21 and trying to implement the negotation authentification, based on kerberos and ntlm.
Browsing in the internet works fine, even with acls based on active directory groups.
 
 
Unfortunately we can't call java web start applications:
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"

We are using Java 1.8.0_221 on the clients.
 
Squid.conf
auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=STL --kerberos /usr/sbin/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
 
acl grp-www external nt_group GRP_WWW
acl www-auth proxy_auth REQUIRED
 
http_access allow p-http  grp-www www-auth
http_access allow p-https grp-www www-auth
 
Without grp-www and www-auth the calls work fine, but there is also no authentification.
 
cache.log (last entry of kerberos debug)
negotiate_kerberos_auth.cc(801): pid=2876 :2020/05/05 16:12:02| negotiate_kerberos_auth: DEBUG: AF oYG3MIG0oAMKAQChCwYJKoZIgvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv5cOyDbJ0+OYmI5iv0/mdKKd3Ez6ewG43c2U2rzYvooNfdMUT4ap5vufPMNSw3fGLJvPKgupMawOvcduXlBkCHqa5pqkmczvXGAdJvC2yRSJagDSrpuvjC9/XXaZCJl906Pluwo2ovPaYcKCXDy9c <myuser>
 
 The wiki says: AF - Success. Valid credentials. Deprecated by OK result from Squid-3.4 onwards.
 
Does anyone have a clue or a similar behavior?
 
 
 
Best Regards
Christian Molecki



More information about the squid-users mailing list