Kerberos proxy authentication falls back to NTLM
Posted on 2014-04-04
I have a rather complicated problem which I am trying to debug.
We are using a proxy server (squid) for user authentication. We are trying to use Kerberos authentication and it works on our test systems without any problems.
On the production machine however, it fails and always falls back to NTLM authentication (on all browsers). We could find out that the system does not even try to use Kerberos.
The production machine is a windows server 2012 R2. If we look at the outpout of klist, we see no tickets for HTTP/Proxy.domain. However, we can succesfully obtain the tickets using klist get HTTP/Proxy.domain - but that ticket will not be used afterwards.
What we are looking for, is a way to debug this. Enabling LSA/Kerberos-Logging (setting SPMInfoLevel) did not reveal anything useful.
squid/3.3.8 @openSuSe 13.1 (x64), using the built-in Kerberos authentication helper, the Proxy Server is domain-joined, SPN is set correctly.