Eugene M. Zheganin wrote: > > On 18.10.2014 16:11, Victor Sudakov wrote: > > I thought as much. This error seems suspicious. But why does a second > > request not cause the same error? > No idea. Hopefully I can interest our Windows admin to enable Kerberos event logging per KB262177. But for the present I have found an ugly workaround. In squid's keytab, I created another principal called 'squiduser' with the same hex key and kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.' Of course this required running the squid authentication helper with the '-s GSS_C_NO_NAME' option. And you know what? It works. Browsers are being authenticated all right. This means that the encrypted token is all right, and the problem was only in the principal name (it being different in the request and the received ticket). This is quite mysterious to me. Also, Heimdal error messages definitely suck. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
