"Extra Fu" <extrafu@xxxxxxxxx> wrote in message
news:11be40100911281444x673710b7w26a337d24549660@xxxxxxxxxxxxxxxxx
Hello,
I'm considering dropping the use of NTLM in favor of Kerberos
(auth_param negotiate) to authenticate users against my AD 2003
server. To do this, I would like to use the squid_kerb_auth program.
Prior starting my work on this, I was wondering what would happen for
users not currently logged in on my domain controller (ie., users not
having a valid Kerberos ticket) - for example, users at home or Mac OS
X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all
seems to support Kerberos authentication to a Squid proxy but for
clients, it's not clear to me (after reading RFC4559) what will happen
if no ticket is present when the user goes through the Squid proxy.
Will it just fail?
On a Windows machine which is not part of the AD domain you will get
prompted for username password and if you have provided a WINS server the
client will determine the AD server to authenticate the username/password
against. In theory Firefox could do the same - use the username/password
and do a kinit for the user, but I haven't seen that Firefox prompts the
user.
Thanks for any light you can shine on this.
Best regards,
Regards
Markus
