Hi All, We have two squid proxy's running the same config, I want to implement a round robin dns solution, so that the browser points to one hostname entry, and is being directed to one of the two servers. Before that i've fully configured the squid proxy server so that it works with sqkuid_kerb_auth and squid_kerb_ldap, it works fine, but when I enabled round robin dns, I noticed that users weren't being authenticated by kerberos, instead it tried to use NTLM, which also failed and eventually get a login box (basic). I'm guessing that the browser parses the dns entry which is configured as proxy to squid_kerb_auth, which then tries to use that principal name to authenticate? Because its 1 dns entry for two hostnames I can't give them both that hostname right?. Is there another way to configure this? Relevant Squid Configuration: auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s host/proxy1.example.com@xxxxxxxxxxx auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth -d 1 --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth -d 1 --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Proxy 2 hase the same config, apart from the -s option for squid_kerb_auth which is proxy2.example.com@xxxxxxxxxxx Also even if I don't provide a service principal name, it doesnt work (Also with HTTP principals). When I start a browser whic points to the round robin dns fqdn (centralproxy.example.com). and go to which server it's being diverted to, I can see this in the logs: 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid (length: 59). 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' (decoded length: 40). 2011/03/23 14:24:53| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/03/23 14:24:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' If I change the browser to point directly to that proxy server, it works like a charm. Is there a way to fix this? Can round robin dns be used with squid_kerb_auth? Thanks for your time. Regards, Essad
