Re: [squid-users] Specifiying SPN(targetname) for Proxy Auth Negotiate

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 30 May 2012 22:05:05 +1200

On 30/05/2012 8:13 p.m., James Mackie wrote:
> Hi all,
>
> I would like to be able to specify in the Proxy-Authenticate challenge header, which SPN (or targetname) I would like the browser to request a ticket for.
>
> After doing some searching I found a document on the MSDN site that seems to indicate you can specify it for the 'Kerberos' auth mechanism (http://msdn.microsoft.com/en-us/library/cc246225%28v=prot.10%29.aspx)
>
> "Authentication is enabled at the outbound server, and it challenges Alice's client. The server indicates support for NTLM and Kerberos in the challenge.
> SIP/2.0 407 Proxy Authentication Required

Notice this is the SIP/2.0 protocol. Squid is an HTTP proxy. There is no
RFC specification for use of Kerberos scheme name within HTTP.

> Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK7
> From: "Alice"<sip:Alice_at_contoso.com>;tag=354354535;epid=6534555
> To: "Alice"<sip:Alice_at_contoso.com>;tag=5564566
> Call-ID: 123213_at_Alice1.contoso.com
> CSeq: 12345 REGISTER
> Date: Sat, 13 Nov 2010 23:29:00 GMT
> Proxy-Authenticate: Kerberos realm="Contoso RTC Service Provider",
> targetname="sip/hs1.contoso.com", qop="auth"
> Proxy-Authenticate: NTLM realm="Contoso RTC Service Provider",
> targetname="hs1.contoso.com", qop="auth"
> Content-Length: 0
> The targetname parameter carries the SPN for this proxy for Kerberos and the FQDN of the proxy for NTLM. The actual contents of this parameter must be meaningful for this proxy but are opaque to other proxies and the client. It is merely a unique string for correlation of the message header to an SA. Two Proxy-Authenticate: headers are present, indicating the server's capability to do one of Kerberos or NTLM. "
>
> I was wondering if anyone has any experience with what I am trying to do.

Squid supports validating Kerberos security via the Negotiate scheme
mehanisms, but does not have configuration support for the Kerberos
scheme name at this time.

Amos
Received on Wed May 30 2012 - 10:05:16 MDT

This archive was generated by hypermail 2.2.0 : Thu May 31 2012 - 12:00:05 MDT