Hi Amos,
If you let me know where exactly I can add a few lines.
One way to make this setup work would be to add proxy1 also to AD like
proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using
ktutil. The negotiate_kerberos_auth handle would require the -s
GSS_C_NO_NAME option to select either key.
A second option is to add a second service principal name to the proxy2 AD
account and use -s GSS_C_NO_NAME.
Regards
Markus
"Amos Jeffries" wrote in message
news:95c70ccd-5c15-3395-2103-3025ef043ebd@xxxxxxxxxxxxx...
On 14/10/21 8:48 am, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication works.
The client uses the proxy name to create a ticket and in this case it
would be the name of the first proxy e.g. proxy1.internal. The first
proxy will pass it through to the authenticating proxy for authentication
proxy2.internal. Now the client receiving a 407 thinks that proxy1 asked
for authentication (not knowing it is only a passthrough) and will ask for
a ticket for proxy1, which it can't get as proxy1 is not in AD. Even if
proxy1 would be in AD, the client would send a proxy1 ticket to proxy2
which will be rejected.
Markus
\
Aha. That make ssense.
Can we get the Kerberos auth wiki page updated with that info? this is
something that has come up a few times.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
