[squid-users] Kerberos Authentication Failing for Windows 7+with BH gss_accept_sec_context() failed

[Victor Sudakov]

Markus Moeller wrote:
> Hi Pedro,
> 
>     I looked at your captures and I observed something similar to
>     Victor???s issue.   I see KRB5KRB_AP_ERR_MODIFIED and then the
>     use of the name of the AD object (e.g. proxy$) instead of
>     HTTP/<proxy fqdn>.   

Dear Pedro,

If it is so as Markus wrote, then adding another principal to squid's
keytab (namely 'proxy$@YOUR.REALM' with the same key identical to that
of 'HTTP/<proxy fqdn>@YOUR.REALM' could help you as a workaround. Just
add it manually with ktutil.

However, I am eager to know what could be causing such weird tickets
to be issued, but I think only a Windows expert can tell. After all,
the key in the tickets is correct, only the principal name is changed.
I only suspect that the name is changed when the client sets the
Canonicalize option in the request, and not all clients do that.

<rant>I have not been able to find such an expert, most Windows admins I
know are GUI mouse boys without thorough understanding of Windows
internals.</rant>


> I also see that you have more than one AD
>     server and I assume there is a sync problem between your AD
>     servers ( You said it start working after removing an unused AD
>     server which would support y assumption). 

If it were a DC sync problem, then probably the key/password would be
incorrect too. I blame the Canonicalize flag, but I don't understand
the logic behind it.

-- 
Victor Sudakov 
Tomsk, Russia
Russian Barefoot FAQ at http://www.barefooters.ru/barefoot.txt