Squid + Kerberos authentication

If you have had trouble getting Squid transparently authenticate your Windows users from an Active Directory source using Kerberos, getting error messages such as:

ERROR: Negotiate Authentication validating user. Error returned ‘BH received type 1 NTLM token’

… check your client configuration!

You have probably used the IP address of the proxy in your browser (IE, Chrome) configuration.

Due to security restrictions aimed at avoiding various ticket passing attacks, IE (and actually probably the WinHTTP API itself) will not pass Kerberos tokens to a proxy that is not within the local intranet zone. By default, sites accessed using their IP addresses are not considered part of the local intranet zone. Consequently, IE will not pass Kerberos authentication to them. The same applies to the proxy settings.

The fix is simple: instead of specifying the proxy by its IP address in your browser settings, use the hostname or AD FQDN of your proxy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.