[squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

David Touzeau david at articatech.com
Mon Sep 20 23:49:06 UTC 2021


Hi all

i have setup Kerberos authentication with Windows 2019 domain using 
Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x)
In some cases, some computers are not joined to the domain and ween need 
to allow authenticate on Squid

To allow this,  Basic Authentication is defined in Squid  and we expect 
that browsers prompt a login to be authenticated and access to Internet

But the behavior is strange.

On a computer outside the windows domain:
Firefox is be able to be successfully authenticated to squid using basic 
auth.
Edge, Chrome and IE still try ujsing NTLM method and are allways 
rejected with a 407

When edge, chrome and IE try to establish a session, Squid claim

2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating 
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

This let us understanding that these 3 browsers try NTLM instead of a 
Basic Authentication.

I did not know why these browsers using NTLM as they did not connected 
to the Windows domain
Why squid never get the Basic Authentication credentials. ?

Did i miss something ?

Here it is my configuration.

auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s 
GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab
auth_param negotiate children 20 startup=5 idle=1 concurrency=0 
queue-size=80 on-persistent-overload=ERR
auth_param negotiate keep_alive on

auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b 
"DC=articatech,DC=int" -D "administrator at articatech.int" -W 
/etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10
auth_param basic children 3
auth_param basic realm Active Directory articatech.int
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds

acl AUTHENTICATED proxy_auth REQUIRED

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210921/b2e2cee2/attachment.htm>


More information about the squid-users mailing list