[squid-users] Kerberos - Cannot decrypt ticket for HTTP

Rafael Akchurin rafael.akchurin at diladele.com
Fri Nov 18 14:53:28 UTC 2022 

Also it might have been related to recent Microsoft Updates.

The following article summarizes our issues with Kerberos (note we use a special user in AD with keytab, not joining of proxy into the domain).

https://docs.diladele.com/faq/squid/authentication/event_14_kerberos_key_distribution_center.html

Best regards,
rafael

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Klaus Brandl
Sent: Friday, November 18, 2022 3:23 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

which options do you have configured for the auth helper?
Something like:

auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i

Best regards

Klaus

Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил:
> Hi David,
>  
> Thanks for your advice but it doesn't help me. I use AD account which 
> haven't set these parameters.
>  
> Misha.
>  
> 17.11.2022, 10:07, "David Touzeau" <david at articatech.com>:
> > Hi
> > 
> > perhaps this one
> > https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-can
> > not-decrypt-ticket
> > 
> >  
> > Le 16/11/2022 à 05:11, Михаил a écrit :
> > > Hi everybody,
> > >  
> > > Could you help me to setup my new squid server? I have a problem 
> > > with keytab authorization.
> > >  
> > > 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating 
> > > user. Result: {result=BH, notes={message:
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor 
> > > code may provide more information. Cannot decrypt ticket for 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for 
> > > HTTP/uisproxy-rop.***.***.corp@***.**.CORP; }} Got NTLMSSP 
> > > neg_flags=0xe2088297
> > > 2022/11/16 11:35:40| ERROR: Negotiate Authentication validating 
> > > user. Result: {result=BH, notes={message:
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor 
> > > code may provide more information. Cannot decrypt ticket for 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP; }}
> > >  
> > > # kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab
> > > HTTP/uisproxy-rop.***.***.corp
> > > Using default cache: /tmp/krb5cc_0 Using principal: 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP
> > > Using keytab: /etc/squid/keytab/uisproxy-rop-t.keytab
> > > Authenticated to Kerberos v5
> > >  
> > > # klist -ke /etc/squid/keytab/uisproxy-rop-t.keytab
> > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> > > KVNO Principal
> > > ---- ------------------------------------------------------------
> > > --------------
> > >    3 uisproxy-rop-t$@***.***.CORP (arcfour-hmac)
> > >    3 uisproxy-rop-t$@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >    3 uisproxy-rop-t$@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >    3 UISPROXY-ROP-T$@***.***.CORP (arcfour-hmac)
> > >    3 UISPROXY-ROP-T$@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >    3 UISPROXY-ROP-T$@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (arcfour-hmac)
> > >    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes128-cts-
> > > hmac-sha1-96)
> > >    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes256-cts-
> > > hmac-sha1-96)
> > >    3 host/uisproxy-rop@***.***.CORP (arcfour-hmac)
> > >    3 host/uisproxy-rop@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >    3 host/uisproxy-rop@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >  
> > > # klist -kt
> > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> > > KVNO Timestamp           Principal
> > > ---- ------------------- ----------------------------------------
> > > --------------
> > >    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >    3 11/16/2022 11:30:50 HTTP/uisproxy- 
> > > rop.***.***.corp@***.***.CORP
> > >    3 11/16/2022 11:30:50 HTTP/uisproxy- 
> > > rop.***.***.corp@***.***.CORP
> > >    3 11/16/2022 11:30:50 HTTP/uisproxy- 
> > > rop.***.***.corp@***.***.CORP
> > >    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >  
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> > > http://lists.squid-cache.org/listinfo/squid-users
> >  
> > --
> > David Touzeau - Artica Tech France
> > Development team, level 3 support
> > ----------------------------------
> > P: +33 6 58 44 69 46
> > www: https://wiki.articatech.com
> > www: http://articatech.net
> > ,
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
>  NO fileref
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list