Hi,
Good to hear. BTW you need to do a bit more if you use other Browsers
than IE. It works with IE because IE does not do a canonicalization of the
proxyname i.e. gethostbaddr(gethostbyname(proxyname))) to create the
Kerberos token. So independent of the resolved IP it is HTTP/proxyname.
If canonicalization is done it would be HTTP/realname-1 and HTTP/realname-2
and you have to create three AD entries:
1) for proxyname
2) for realname-1
3) for realname-2
The three keytabs can be merged with tools like ktutil and the merged keytab
need to be installed on the 2 proxies plus you need to use -s GSS_C_NO_NAME.
Regards
Markus
"Emmanuel Lacour" <elacour@xxxxxxxxxxxxxxx> wrote in message
news:20110909150149.GF2669@xxxxxxxxxxxxxxx...
On Fri, Sep 09, 2011 at 03:42:21PM +0100, Markus Moeller wrote:
You need to create one AD entry for proxy.domain.tld and copy the
same keytab to both squid servers and use the -s GSS_C_NO_NAME
option for squid_kerb_auth or negotiate_kerberos_auth.
at a first glance, it seems to works like a charm, many thanks :)
