On 30/05/2012 8:13 p.m., James Mackie wrote:
Hi all,
I would like to be able to specify in the Proxy-Authenticate challenge header, which SPN (or targetname) I would like the browser to request a ticket for.
After doing some searching I found a document on the MSDN site that seems to indicate you can specify it for the 'Kerberos' auth mechanism (http://msdn.microsoft.com/en-us/library/cc246225%28v=prot.10%29.aspx)
"Authentication is enabled at the outbound server, and it challenges Alice's client. The server indicates support for NTLM and Kerberos in the challenge.
SIP/2.0 407 Proxy Authentication Required
Notice this is the SIP/2.0 protocol. Squid is an HTTP proxy. There is no
RFC specification for use of Kerberos scheme name within HTTP.
Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK7
From: "Alice"<sip:Alice@xxxxxxxxxxx>;tag=354354535;epid=6534555
To: "Alice"<sip:Alice@xxxxxxxxxxx>;tag=5564566
Call-ID: 123213@xxxxxxxxxxxxxxxxxx
CSeq: 12345 REGISTER
Date: Sat, 13 Nov 2010 23:29:00 GMT
Proxy-Authenticate: Kerberos realm="Contoso RTC Service Provider",
targetname="sip/hs1.contoso.com", qop="auth"
Proxy-Authenticate: NTLM realm="Contoso RTC Service Provider",
targetname="hs1.contoso.com", qop="auth"
Content-Length: 0
The targetname parameter carries the SPN for this proxy for Kerberos and the FQDN of the proxy for NTLM. The actual contents of this parameter must be meaningful for this proxy but are opaque to other proxies and the client. It is merely a unique string for correlation of the message header to an SA. Two Proxy-Authenticate: headers are present, indicating the server's capability to do one of Kerberos or NTLM. "
I was wondering if anyone has any experience with what I am trying to do.
Squid supports validating Kerberos security via the Negotiate scheme
mehanisms, but does not have configuration support for the Kerberos
scheme name at this time.
Amos
