RE: [squid-users] Kerberos TCP/DENIED 407

Amos,

Thank you for the reply.

Sorry I meant 3.0 STABLE 19. The Zimbra Desktop client connects via port 443 and I have the standard ACL;

http_access deny !Safe_ports
http_access deny !SSL_ports

however when I change the ACL to (very insecure)

http_access allow CONNECT (without the exception of !SSL_ports) the zimbra client connects...

no too sure if my ACL is incorrect or if a need to add additional ports in the ACL however according to Zimbra 443 is the only one required.

I ran wireshark trace I can confirm that the proxy offers all configured authentication schemes and the client responds with a Kerberos ticket.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: 08 March 2012 01:55 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Kerberos TCP/DENIED 407

On 8/03/2012 9:17 p.m., JC Putter wrote:
> Hi
>
> I followed
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveD
> irectory
>
> I can see the cache.log the the client is authenticating with a Kerberos ticket however for every connection get a TCP/DENIED 407 and then the connection is made. Is this not what NTLM does? I thought that with Kerberos this does not happen?

One 407 is normal for all HTTP authentications. NTLM requires two.

> I have a very strange issue we are using Zimbra Desktop client and with the proxy settings the Zimbra Desktop client fails to connect..
>
> TCP_DENIED/407 2173 CONNECT cluster01.zimbra.com:443 - NONE/-
> text/html
>
> but all the other browsers (IE,FF,Chrome) everything works but the log is full of TCP/DENIED 407.
>
> Any help should be appreciated
>
> SQUID3 Stable19
>

I assume you mean 3.1.19 and not 3.0.STABLE19 ?

CONNECT + auth should not have been a problem since 3.1.15. Is that desktop client app sending the credentials ticket?

Amos
Received on Thu Mar 08 2012 - 12:07:56 MST