On 31/05/2012 5:53 p.m., James Mackie wrote:
-----Original Message-----
From: Amos Jeffries
On 30/05/2012 8:13 p.m., James Mackie wrote:
Hi all,
I would like to be able to specify in the Proxy-Authenticate challenge
header, which SPN (or targetname) I would like the browser to request a
ticket for.
After doing some searching I found a document on the MSDN site that
seems to indicate you can specify it for the 'Kerberos' auth mechanism
(http://msdn.microsoft.com/en-
us/library/cc246225%28v=prot.10%29.aspx)
"Authentication is enabled at the outbound server, and it challenges Alice's
client. The server indicates support for NTLM and Kerberos in the challenge.
SIP/2.0 407 Proxy Authentication Required
Notice this is the SIP/2.0 protocol. Squid is an HTTP proxy. There is no RFC
specification for use of Kerberos scheme name within HTTP.
I did notice this, and I know that HTTP only uses "NEGOTIATE" in the specification, I was just wondering if anyone had managed to do something similar with NEGOTIATE protocol, as what the KERBEROS protocol does above.
Possibly. But nothing like SIP does. HTTP Proxy-Authenticate is
hop-by-hop so there is no possiblility of multiple targets.
Squid has a trick with peers to pass the header through when it
shouldn't, but that is as close as it comes to sending login to a remote
target in HTTP.
Amos