I've setup a proxy using squid, with kerberos/ldap as authentication.
I used this article as reference: http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter
I tried using the proxy on IE and it works. But it won't work on Chrome and Firefox. (I'm not sure I it doesn't work on Chrome when in fact Chrome has the same network settings on IE). After I enter my account details on IE, it works but on Chrome and Firefox it's not accepting my username and password.
On firefox, Automatic proxy configuration URL is
http: // wpad . example . com /wpad.dat (I just used spaces so that it's not recognized as a link)
network.negotiate-auth.trusted-uris is pointed to http: // example . com
Here's the logs on cache.log
2011/08/16 00:45:41| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2011/08/16 00:45:41| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/08/16 00:45:41| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
Access.log
1313469925.993 0 10.101.204.82 TCP_DENIED/407 4163 GET (I removed the site)- NONE/- text/html
1313469941.280 0 10.101.204.82 TCP_DENIED/407 4163 GET (I removed the site) - NONE/- text/html
Best Answer
Are you not interested in troubleshooting if and why Kerberos wasnt used? I am not a squid guy but it looks like client failed to get a kerberos ticket to access squid.
You can use klist.exe on client to see if it indeed get a ticket for proxy. Perhaps IE does get kerberos ticket but firefox/chrome didn't?
Do a "klist purge" on client (or logoff/logon) before attempting to use IE (with proxy enabled). Check "klist tickets" after to see if you have a ticket for the proxy. If you take a simultaneous network trace you can see if it succeeded using that ticket to authenticate to proxy as we want to make sure squid decoded it. Else you can check squid logs to see if it reveals what auth the client used.
Repeat for firefox/chrome.
I would also bump up netlogon.log on DCs (nltest /dbflag:2080ffff) to see if they report receiving NTLM challenge/response from squid. Do you get password prompt when using IE (with proxy)? Because if you dont that implies Kerberos was used. As per http://blog.rafelo.com/2008/06/firefox-and-integrated-authentication.html it looks like there may be other settings in browser you may have failed to do firefox/chrome related? disclaimer: I haven't ever configured firefox/chrome to do windows integrated auth.