Solved

Kerberos proxy authentication falls back to NTLM

Posted on 2014-04-04
8
1,354 Views
Last Modified: 2014-04-15
Hi experts,

I have a rather complicated problem which I am trying to debug.
We are using a proxy server (squid) for user authentication. We are trying to use Kerberos authentication and it works on our test systems without any problems.

On the production machine however, it fails and always falls back to NTLM authentication (on all browsers). We could find out that the system does not even try to use Kerberos.
The production machine is a windows server 2012 R2. If we look at the outpout of klist, we see no tickets for HTTP/Proxy.domain. However, we can succesfully obtain the tickets using klist get HTTP/Proxy.domain - but that ticket will not be used afterwards.

What we are looking for, is a way to debug this. Enabling LSA/Kerberos-Logging (setting SPMInfoLevel) did not reveal anything useful.

Systems:
squid/3.3.8 @openSuSe 13.1 (x64), using the built-in Kerberos authentication helper, the Proxy Server is domain-joined, SPN is set correctly.
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39979432
know that throwing a link will not be as good but saw this setup on centos and steps it attempt to verify in each to move forward. thought it will tinker some leads if possible. previously i have tried with other proxy but not squid though and the keytab is my issue which I need to delete/re-create the account in windows server and imported keytab generated into the proxy again

...particularly I need to use something of such (esp the "@")
 /princ host/Sample1.contoso.com@CONTOSO.COM
 /ptype KRB5_NT_PRINCIPAL
0
 
LVL 55

Author Comment

by:McKnife
ID: 39979729
Hi.

It seems as though you missed a line: it works everywhere but on the production machine.
Something is broken at that machine, and I'm looking for a way to debug this. :)
0
 
LVL 64

Expert Comment

by:btan
ID: 39979755
noted thanks, there is a Kerberos and LDAP Troubleshooting Tips from Microsoft on possible and  common symptom and where to look out (at least to isolate out the "common") - in the past, there is miss out such as DNS configuration and near-synchronisation of computer clocks.

I suspect also suspecting if there are something in prod 2012 R2. it is new to me. The Kerberos info on 2012 highlight some new log/metric (e.g. KDC events, KDC operational log and Kerberos performance counters - at the bottom of that page linked)

The new Warning events for large Kerberos tickets KDC administrative template policy setting enables you to control the system warning events that are logged by a KDC when tickets issued during Kerberos authentication are close to or greater than a configured threshold value size. The ticket size warnings are Event ID 31 in the System log.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 55

Author Comment

by:McKnife
ID: 39980121
We have a test system with 2012 R2 configured exactly the same and there, it works without problems. The trouble shooting guide offers no hints on real logging. The event logs are clean, by the way. We would just like to get any hint on why the browsers don't request http Kerberos tickets but only NTLM. If we don't find it, we would need to reinstall that server.

The server has no other problems, it would be a real pity.

I think we will have to start a sniffer, we haven't resorted to this last option, yet.

For others again to describe the simple setup: we setup squid as described. At the server, the internet connection settings point to the squid proxy. As long as we don't enable NTLM auth. (but Kerberos), we cannot surf ("access denied"). On other systems (any other), it works with Kerberos.
0
 
LVL 64

Expert Comment

by:btan
ID: 39980657
Indeed we do also not avoid the redo for new server which is what the user in the this posting did to get it working after a strew of troubleshooting steps. Maybe worth looking at what the user did

There are steps and tools, and sniffing the browser is also essential to check auth TGS-REQ request and TGS-REP response included. May be good to force the kerberos check only so the log reflect only the failure traffic. Will be good to clear the cavhed ticket and relogin machin.

I believe the squid has krb5.conf with something similar for trapping msg
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
0
 
LVL 55

Accepted Solution

by:
McKnife earned 0 total points
ID: 39993568
Thanks.

All linked diagnostic tools worked. Unfortunately, none of those could reveal for what reason it does not work with browsers. We'll live with NTLM and see if we'll reinstall it someday to be able to use kerberos.
0
 
LVL 64

Expert Comment

by:btan
ID: 39993752
thanks for sharing
0
 
LVL 55

Author Closing Comment

by:McKnife
ID: 40001123
Could not find a reason nor proper diagnostics. Closing, thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question