Solved

Kerberos proxy authentication falls back to NTLM

Posted on 2014-04-04
8
1,286 Views
Last Modified: 2014-04-15
Hi experts,

I have a rather complicated problem which I am trying to debug.
We are using a proxy server (squid) for user authentication. We are trying to use Kerberos authentication and it works on our test systems without any problems.

On the production machine however, it fails and always falls back to NTLM authentication (on all browsers). We could find out that the system does not even try to use Kerberos.
The production machine is a windows server 2012 R2. If we look at the outpout of klist, we see no tickets for HTTP/Proxy.domain. However, we can succesfully obtain the tickets using klist get HTTP/Proxy.domain - but that ticket will not be used afterwards.

What we are looking for, is a way to debug this. Enabling LSA/Kerberos-Logging (setting SPMInfoLevel) did not reveal anything useful.

Systems:
squid/3.3.8 @openSuSe 13.1 (x64), using the built-in Kerberos authentication helper, the Proxy Server is domain-joined, SPN is set correctly.
0
Comment
Question by:McKnife
  • 4
  • 4
8 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
know that throwing a link will not be as good but saw this setup on centos and steps it attempt to verify in each to move forward. thought it will tinker some leads if possible. previously i have tried with other proxy but not squid though and the keytab is my issue which I need to delete/re-create the account in windows server and imported keytab generated into the proxy again

...particularly I need to use something of such (esp the "@")
 /princ host/Sample1.contoso.com@CONTOSO.COM
 /ptype KRB5_NT_PRINCIPAL
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Hi.

It seems as though you missed a line: it works everywhere but on the production machine.
Something is broken at that machine, and I'm looking for a way to debug this. :)
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
noted thanks, there is a Kerberos and LDAP Troubleshooting Tips from Microsoft on possible and  common symptom and where to look out (at least to isolate out the "common") - in the past, there is miss out such as DNS configuration and near-synchronisation of computer clocks.

I suspect also suspecting if there are something in prod 2012 R2. it is new to me. The Kerberos info on 2012 highlight some new log/metric (e.g. KDC events, KDC operational log and Kerberos performance counters - at the bottom of that page linked)

The new Warning events for large Kerberos tickets KDC administrative template policy setting enables you to control the system warning events that are logged by a KDC when tickets issued during Kerberos authentication are close to or greater than a configured threshold value size. The ticket size warnings are Event ID 31 in the System log.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
We have a test system with 2012 R2 configured exactly the same and there, it works without problems. The trouble shooting guide offers no hints on real logging. The event logs are clean, by the way. We would just like to get any hint on why the browsers don't request http Kerberos tickets but only NTLM. If we don't find it, we would need to reinstall that server.

The server has no other problems, it would be a real pity.

I think we will have to start a sniffer, we haven't resorted to this last option, yet.

For others again to describe the simple setup: we setup squid as described. At the server, the internet connection settings point to the squid proxy. As long as we don't enable NTLM auth. (but Kerberos), we cannot surf ("access denied"). On other systems (any other), it works with Kerberos.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 61

Expert Comment

by:btan
Comment Utility
Indeed we do also not avoid the redo for new server which is what the user in the this posting did to get it working after a strew of troubleshooting steps. Maybe worth looking at what the user did

There are steps and tools, and sniffing the browser is also essential to check auth TGS-REQ request and TGS-REP response included. May be good to force the kerberos check only so the log reflect only the failure traffic. Will be good to clear the cavhed ticket and relogin machin.

I believe the squid has krb5.conf with something similar for trapping msg
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
0
 
LVL 53

Accepted Solution

by:
McKnife earned 0 total points
Comment Utility
Thanks.

All linked diagnostic tools worked. Unfortunately, none of those could reveal for what reason it does not work with browsers. We'll live with NTLM and see if we'll reinstall it someday to be able to use kerberos.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
thanks for sharing
0
 
LVL 53

Author Closing Comment

by:McKnife
Comment Utility
Could not find a reason nor proper diagnostics. Closing, thanks.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now