0 Replies Latest reply on Sep 10, 2015 2:42 AM by sbrinkhoff

    Kerberos and HTTPS Sessions

    sbrinkhoff

      Hi Community,

       

      we just updated the mwg from 7.4 to 7.5 and used the downtimes to implement kerberos auth. Everything is configured as described in the ultimate kerberos guide. Everything works so far, but we have a huge amount of strange and unnecessary log lines when a user opens a HTTP site (we do break up SSL connections!)


      Here is an example:


      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/4" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="3237/3237/18874/18913" ua="IE11-6.1" lat="0/0/0/143" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/3" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="893/893/45824/45863" ua="IE11-6.1" lat="0/0/0/141" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/4" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="861/861/1398/1437" ua="IE11-6.1" lat="0/0/0/41" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/2" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="861/861/1286/1325" ua="IE11-6.1" lat="0/0/0/42" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="877/877/3014/3053" ua="IE11-6.1" lat="0/0/0/46" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/5" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="861/861/3206/3245" ua="IE11-6.1" lat="0/0/0/50" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/3" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="861/861/3494/3533" ua="IE11-6.1" lat="0/0/0/46" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/4" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/4" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/4" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="893/893/3398/3437" ua="IE11-6.1" lat="0/0/0/95" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/4" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="2113/2113/61322/61361" ua="IE11-6.1" lat="0/0/0/365" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:41 status="407/81" srcip="10.10.10.10" user="-/-" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="216/0/0/3569" ua="IE11-6.1" lat="0/0/0/5" Rules.CurrentRule.Name="Authenticate with User Database" authentication.method="-"
      • 2015-09-09 15:44:41 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="2651/2651/111651/111690" ua="IE11-6.1" lat="0/0/0/740" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:42 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="893/893/16470/16509" ua="IE11-6.1" lat="0/0/0/433" Rules.CurrentRule.Name="" authentication.method="Kerberos"
      • 2015-09-09 15:44:42 status="200/0" srcip="10.10.10.10" user="auth.realm/auth.username" dhost="www.travelland.de" urlp="443" proto="HTTP/https" mtd="CONNECT" url="https://www.travelland.de" urlcategory="Travel" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="2795/2795/138776/138815" ua="IE11-6.1" lat="0/0/0/707" Rules.CurrentRule.Name="" authentication.method="Kerberos"

       

      We ran over this because the "Rules.CurrentRule.Name" Variable were empty in an unusual amount of log lines. I could not figure out what is going on here and why there are so much "Status 407" Return codes. Is there a problem caching authentication credentials in https sessions or something?

      Perhaps someone has an idea how to get rid of all that extra log lines.

       

      Thanks in advance