[squid-users] Squid negotation auth for Java webstart not working
Molecki, Christian (STL)
Christian.Molecki at stala.bwl.de
Tue May 5 14:29:50 UTC 2020
Hello,
we are using Squid 3.5.21 and trying to implement the negotation authentification, based on kerberos and ntlm.
Browsing in the internet works fine, even with acls based on active directory groups.
Unfortunately we can't call java web start applications:
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
We are using Java 1.8.0_221 on the clients.
Squid.conf
auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=STL --kerberos /usr/sbin/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
acl grp-www external nt_group GRP_WWW
acl www-auth proxy_auth REQUIRED
http_access allow p-http grp-www www-auth
http_access allow p-https grp-www www-auth
Without grp-www and www-auth the calls work fine, but there is also no authentification.
cache.log (last entry of kerberos debug)
negotiate_kerberos_auth.cc(801): pid=2876 :2020/05/05 16:12:02| negotiate_kerberos_auth: DEBUG: AF oYG3MIG0oAMKAQChCwYJKoZIgvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv5cOyDbJ0+OYmI5iv0/mdKKd3Ez6ewG43c2U2rzYvooNfdMUT4ap5vufPMNSw3fGLJvPKgupMawOvcduXlBkCHqa5pqkmczvXGAdJvC2yRSJagDSrpuvjC9/XXaZCJl906Pluwo2ovPaYcKCXDy9c <myuser>
The wiki says: AF - Success. Valid credentials. Deprecated by OK result from Squid-3.4 onwards.
Does anyone have a clue or a similar behavior?
Best Regards
Christian Molecki
More information about the squid-users
mailing list