On 28/08/2013 8:13 p.m., Attila Gömbös wrote:
The downstream proxy authenticates the users (with SPNEGO for example). The downstream proxy sends the Proxy-Authorization token with only the username in it. But the Squid will send the request to Symantec Messagelabs, but it can't create the right X-saucer and X-teacup headers, if the user is authenticated only with username, but expects domain\username in the Proxy-Authorization field.
Please understand that authentication protocols SPNEGO in particular are authenticating either the specific TCP connection or the specific HTTP request between the downstream client and the downstream proxy.
The TCP connection and/or request between the downstream proxy and your Squid may be *very* different from the original ones. In the case of the TCP connection the downstream proxy may even be multiplexing multiple clients onto the one connection.
Sending the right credentials is a problem for the downstream proxy. There is no way to accurately know the "correct" username credentials if they were not explicitly delivered. If you have a new enough Squid (3.2 or later) the best you can do is use login=PASSTHRU and let the *upstream* proxy be the one performing authentication, with the downstream and local proxies using external_acl_type helpers to simply probe into the Proxy-Auth headers and supply the user name label back for record keeping purposes.
Amos