[squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

David Touzeau david at articatech.com
Tue Sep 21 08:18:29 UTC 2021 

Thanks Louis for this tips but we did not want to use NTLM as it is an 
old way.
It requires a samba on the Squid Box

As Amos said, this is most a browser (that using Microsoft API ) issue

The best way is to make these browsers replicating the correct Firefox 
behavior.
Means swith to basic auth instead of trying this stupid NTLM method

Le 21/09/2021 à 09:38, L.P.H. van Belle a écrit :
>
> in your smb.conf add
>      # Added to enforced NTLM 2, must be set on all Samba AD-DC's and the needed members.
>      # This is used in combination with ntlm_auth --allow-mschapv2
>      ntlm auth = mschapv2-and-ntlmv2-only
>
> In squid use:
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
>      --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP.keytab \
>      -s HTTP/proxy.fq.dn.tld at MY.REALM.TLD \
>      --ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego --domain=ADDOM
>
>   
> If you connecting for ldap.. Dont use -h 192.168.90.10
> Uses -H ldaps://host.name.fq.dn
>
> Also push the root-CA off the domain to pc's with GPO for example
> And in that GPO you can set the parts you need to enable for the users/pcs to make it all work.
>
> But your close, your almost there..
>
> On thing i have not looked at myself yet, ext_kerberos_ldap_group_acl
> https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8
> Thats one i'll be using with squid 5.1, im still compiling everyting i need, but then im setting
> It up, i'll document it and make and howto of it.
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> 	Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens David Touzeau
> 	Verzonden: dinsdag 21 september 2021 1:49
> 	Aan: squid-users at lists.squid-cache.org
> 	Onderwerp: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome
> 	
> 	
> 	Hi all
> 	
> 	i have setup Kerberos authentication with Windows 2019 domain using Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x)
> 	In some cases, some computers are not joined to the domain and ween need to allow authenticate on Squid
> 	
> 	To allow this,  Basic Authentication is defined in Squid  and we expect that browsers prompt a login to be authenticated and access to Internet
> 	
> 	But the behavior is strange.
> 	
> 	On a computer outside the windows domain:
> 	Firefox is be able to be successfully authenticated to squid using basic auth.
> 	Edge, Chrome and IE still try ujsing NTLM method and are allways rejected with a 407
> 	
> 	When edge, chrome and IE try to establish a session, Squid claim
> 	
> 	2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
> 	
> 	This let us understanding that these 3 browsers try NTLM instead of a Basic Authentication.
> 	
> 	I did not know why these browsers using NTLM as they did not connected to the Windows domain
> 	Why squid never get the Basic Authentication credentials. ?
> 	
> 	Did i miss something ?
> 	
> 	Here it is my configuration.
> 	
> 	auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab
> 	auth_param negotiate children 20 startup=5 idle=1 concurrency=0 queue-size=80 on-persistent-overload=ERR
> 	auth_param negotiate keep_alive on
> 	
> 	auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b "DC=articatech,DC=int" -D "administrator at articatech.int" <mailto:administrator at articatech.int>  -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10
> 	auth_param basic children 3
> 	auth_param basic realm Active Directory articatech.int
> 	auth_param basic credentialsttl 7200 seconds
> 	authenticate_ttl 3600 seconds
> 	authenticate_ip_ttl 1 seconds
> 	authenticate_cache_garbage_interval 3600 seconds
> 	
> 	acl AUTHENTICATED proxy_auth REQUIRED
> 	
> 	
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210921/0ebc6634/attachment-0001.htm>

More information about the squid-users mailing list