Issue with web proxy with authentication

Maciej_Bursztynowski · March 28, 2021, 4:38pm

NethServer Version: 7.9.2009
Module: Web Proxy & Filter

Hello, I’ve got a problem with Web Proxy & Filter configuration. I’ve tried to look for similar topics but nothing solves my issue

Because of server hardware failure I was forced to reinstall everything, so that I decided to install newest version of Nethserver. Previously I was using some older, probably 7.7.

There I had configured AD Server, DNS, DHCP and Web Proxy on single server. I wanted to do it same way now.
AD, DNS, DHCP are working correctly so next step was to enable proxy with whitelisting of some domains only.

Unfortunately I cannot configure web proxy.
Proxy is enabled, in “authenticated” mode for Green and Trusted networks, also tried with Blue, but I don’t have Blue network configured.
Browsers (Edge, Chrome) are continously asking for credentials (I am logged in as AD user to Windows PC) and these browsers cannot authenticate in squid.
In /var/log/squid/cache.log I can see:
2021/03/28 18:20:09| negotiate_kerberos_auth: INFO: User not authenticated
2021/03/28 18:20:09 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No key table entry found matching HTTP/router.xxx.local@; }}

When using Firefox I can authenticate (but I have to do it once, credentials are not taken from AD/Kerberos).
I was trying everything on client PC:

Manual setting DNS
Manual setting of proxy configuration (with FQDN as proxy address)
Manual setting of /var/www/html/wpad.dat file on the Nethserver
Restarting Nethserver
Restarting Windows client
Testing on Windows 10/7
Creation of new AD users, doublechecking passwords…
I’ve also tried different dns names used by nethserver: router.ad.xxx.local, router.xxx.local, wpad.ad.xxx.local, ad.xxx.local

Maybe someone had similar issue with Web Proxy? Please help

m.traeumner · March 29, 2021, 12:25pm

Hi @Maciej_Bursztynowski
Welcome to the community.
Could you please try to edit your host file like here:
http://blog.pre-system.de/2017/04/04/kerberos-authentication-error-in-cache-log-on-squid-server/

Also you should have a look here:

Maciej_Bursztynowski · March 29, 2021, 1:24pm

Hello @m.traeumner

Thanks for the hint, but as I can see it is by default in this Nethserver:
192.168.1.1 router.xxx.local router wpad.xxx.local proxy.xxx.local router.ad.xxx.local

so it wouldn’t help here

mrmarkuz · March 29, 2021, 4:18pm

Does the wpad.dat contain the IP instead of the FQDN? This one may be of help:

Maciej_Bursztynowski · April 6, 2021, 12:08am

I am sorry for long no-reply, but corona virus got me.
wpad.dat file was created with IP, then I switched to FQDN. It didn’t help too

mrmarkuz · April 6, 2021, 5:48pm

I hope you’re well again…

Did you try to authenticate with username@ad.domain ?

Maciej_Bursztynowski · April 25, 2021, 11:22pm

Hello

Thanks, I’m fine. I’m still having this issue. Right now I’m investigating squid log files and I can see something like this:

2021/04/26 01:16:04 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No key table entry found matching HTTP/router.xxx.local@; }}

For me it looks like some issue with kerberos/AD authentication, but my knowledge is to narrow

Maciej_Bursztynowski · April 26, 2021, 3:08am

BTW. I’ve installed old NethServer 7.6 as proxy server and I was able to configure it without any issues. Works like a charm.
If I have some time I’ll compare config files between NethServer 7.9 and 7.6 for squid, kerberos etc.

Shane_Treweek · July 21, 2021, 2:16am

could you please upload (a redacted ) copy of the config im having the same issue