Kerberos proxy authentication falls back to NTLM

Hi experts,

I have a rather complicated problem which I am trying to debug.
We are using a proxy server (squid) for user authentication. We are trying to use Kerberos authentication and it works on our test systems without any problems.

On the production machine however, it fails and always falls back to NTLM authentication (on all browsers). We could find out that the system does not even try to use Kerberos.
The production machine is a windows server 2012 R2. If we look at the outpout of klist, we see no tickets for HTTP/Proxy.domain. However, we can succesfully obtain the tickets using klist get HTTP/Proxy.domain - but that ticket will not be used afterwards.

What we are looking for, is a way to debug this. Enabling LSA/Kerberos-Logging (setting SPMInfoLevel) did not reveal anything useful.

squid/3.3.8 @openSuSe 13.1 (x64), using the built-in Kerberos authentication helper, the Proxy Server is domain-joined, SPN is set correctly.
LVL 59
Who is Participating?
McKnifeConnect With a Mentor Author Commented:

All linked diagnostic tools worked. Unfortunately, none of those could reveal for what reason it does not work with browsers. We'll live with NTLM and see if we'll reinstall it someday to be able to use kerberos.
btanExec ConsultantCommented:
know that throwing a link will not be as good but saw this setup on centos and steps it attempt to verify in each to move forward. thought it will tinker some leads if possible. previously i have tried with other proxy but not squid though and the keytab is my issue which I need to delete/re-create the account in windows server and imported keytab generated into the proxy again

...particularly I need to use something of such (esp the "@")
 /princ host/
McKnifeAuthor Commented:

It seems as though you missed a line: it works everywhere but on the production machine.
Something is broken at that machine, and I'm looking for a way to debug this. :)
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

btanExec ConsultantCommented:
noted thanks, there is a Kerberos and LDAP Troubleshooting Tips from Microsoft on possible and  common symptom and where to look out (at least to isolate out the "common") - in the past, there is miss out such as DNS configuration and near-synchronisation of computer clocks.

I suspect also suspecting if there are something in prod 2012 R2. it is new to me. The Kerberos info on 2012 highlight some new log/metric (e.g. KDC events, KDC operational log and Kerberos performance counters - at the bottom of that page linked)

The new Warning events for large Kerberos tickets KDC administrative template policy setting enables you to control the system warning events that are logged by a KDC when tickets issued during Kerberos authentication are close to or greater than a configured threshold value size. The ticket size warnings are Event ID 31 in the System log.
McKnifeAuthor Commented:
We have a test system with 2012 R2 configured exactly the same and there, it works without problems. The trouble shooting guide offers no hints on real logging. The event logs are clean, by the way. We would just like to get any hint on why the browsers don't request http Kerberos tickets but only NTLM. If we don't find it, we would need to reinstall that server.

The server has no other problems, it would be a real pity.

I think we will have to start a sniffer, we haven't resorted to this last option, yet.

For others again to describe the simple setup: we setup squid as described. At the server, the internet connection settings point to the squid proxy. As long as we don't enable NTLM auth. (but Kerberos), we cannot surf ("access denied"). On other systems (any other), it works with Kerberos.
btanExec ConsultantCommented:
Indeed we do also not avoid the redo for new server which is what the user in the this posting did to get it working after a strew of troubleshooting steps. Maybe worth looking at what the user did

There are steps and tools, and sniffing the browser is also essential to check auth TGS-REQ request and TGS-REP response included. May be good to force the kerberos check only so the log reflect only the failure traffic. Will be good to clear the cavhed ticket and relogin machin.

I believe the squid has krb5.conf with something similar for trapping msg
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
btanExec ConsultantCommented:
thanks for sharing
McKnifeAuthor Commented:
Could not find a reason nor proper diagnostics. Closing, thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.