On 31/05/2012 5:53 p.m., James Mackie wrote:
>> -----Original Message-----
>> From: Amos Jeffries
>> On 30/05/2012 8:13 p.m., James Mackie wrote:
>>> Hi all,
>>>
>>> I would like to be able to specify in the Proxy-Authenticate challenge
>> header, which SPN (or targetname) I would like the browser to request a
>> ticket for.
>>> After doing some searching I found a document on the MSDN site that
>>> seems to indicate you can specify it for the 'Kerberos' auth mechanism
>>> (http://msdn.microsoft.com/en-
>> us/library/cc246225%28v=prot.10%29.aspx)
>>> "Authentication is enabled at the outbound server, and it challenges Alice's
>> client. The server indicates support for NTLM and Kerberos in the challenge.
>>> SIP/2.0 407 Proxy Authentication Required
>> Notice this is the SIP/2.0 protocol. Squid is an HTTP proxy. There is no RFC
>> specification for use of Kerberos scheme name within HTTP.
> I did notice this, and I know that HTTP only uses "NEGOTIATE" in the specification, I was just wondering if anyone had managed to do something similar with NEGOTIATE protocol, as what the KERBEROS protocol does above.
>
Possibly. But nothing like SIP does. HTTP Proxy-Authenticate is
hop-by-hop so there is no possiblility of multiple targets.
Squid has a trick with peers to pass the header through when it
shouldn't, but that is as close as it comes to sending login to a remote
target in HTTP.
Amos
Received on Thu May 31 2012 - 09:50:13 MDT
This archive was generated by hypermail 2.2.0 : Thu May 31 2012 - 12:00:05 MDT