Kerberos proxy authentication falls back to NTLM

Posted on 2014-04-04
Last Modified: 2014-04-15
Hi experts,

I have a rather complicated problem which I am trying to debug.
We are using a proxy server (squid) for user authentication. We are trying to use Kerberos authentication and it works on our test systems without any problems.

On the production machine however, it fails and always falls back to NTLM authentication (on all browsers). We could find out that the system does not even try to use Kerberos.
The production machine is a windows server 2012 R2. If we look at the outpout of klist, we see no tickets for HTTP/Proxy.domain. However, we can succesfully obtain the tickets using klist get HTTP/Proxy.domain - but that ticket will not be used afterwards.

What we are looking for, is a way to debug this. Enabling LSA/Kerberos-Logging (setting SPMInfoLevel) did not reveal anything useful.

squid/3.3.8 @openSuSe 13.1 (x64), using the built-in Kerberos authentication helper, the Proxy Server is domain-joined, SPN is set correctly.
Question by:McKnife
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 63

Expert Comment

ID: 39979432
know that throwing a link will not be as good but saw this setup on centos and steps it attempt to verify in each to move forward. thought it will tinker some leads if possible. previously i have tried with other proxy but not squid though and the keytab is my issue which I need to delete/re-create the account in windows server and imported keytab generated into the proxy again

...particularly I need to use something of such (esp the "@")
 /princ host/
LVL 54

Author Comment

ID: 39979729

It seems as though you missed a line: it works everywhere but on the production machine.
Something is broken at that machine, and I'm looking for a way to debug this. :)
LVL 63

Expert Comment

ID: 39979755
noted thanks, there is a Kerberos and LDAP Troubleshooting Tips from Microsoft on possible and  common symptom and where to look out (at least to isolate out the "common") - in the past, there is miss out such as DNS configuration and near-synchronisation of computer clocks.

I suspect also suspecting if there are something in prod 2012 R2. it is new to me. The Kerberos info on 2012 highlight some new log/metric (e.g. KDC events, KDC operational log and Kerberos performance counters - at the bottom of that page linked)

The new Warning events for large Kerberos tickets KDC administrative template policy setting enables you to control the system warning events that are logged by a KDC when tickets issued during Kerberos authentication are close to or greater than a configured threshold value size. The ticket size warnings are Event ID 31 in the System log.
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

LVL 54

Author Comment

ID: 39980121
We have a test system with 2012 R2 configured exactly the same and there, it works without problems. The trouble shooting guide offers no hints on real logging. The event logs are clean, by the way. We would just like to get any hint on why the browsers don't request http Kerberos tickets but only NTLM. If we don't find it, we would need to reinstall that server.

The server has no other problems, it would be a real pity.

I think we will have to start a sniffer, we haven't resorted to this last option, yet.

For others again to describe the simple setup: we setup squid as described. At the server, the internet connection settings point to the squid proxy. As long as we don't enable NTLM auth. (but Kerberos), we cannot surf ("access denied"). On other systems (any other), it works with Kerberos.
LVL 63

Expert Comment

ID: 39980657
Indeed we do also not avoid the redo for new server which is what the user in the this posting did to get it working after a strew of troubleshooting steps. Maybe worth looking at what the user did

There are steps and tools, and sniffing the browser is also essential to check auth TGS-REQ request and TGS-REP response included. May be good to force the kerberos check only so the log reflect only the failure traffic. Will be good to clear the cavhed ticket and relogin machin.

I believe the squid has krb5.conf with something similar for trapping msg
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
LVL 54

Accepted Solution

McKnife earned 0 total points
ID: 39993568

All linked diagnostic tools worked. Unfortunately, none of those could reveal for what reason it does not work with browsers. We'll live with NTLM and see if we'll reinstall it someday to be able to use kerberos.
LVL 63

Expert Comment

ID: 39993752
thanks for sharing
LVL 54

Author Closing Comment

ID: 40001123
Could not find a reason nor proper diagnostics. Closing, thanks.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question