[squid-users] Kerberos authentication with multiple squids
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 14 09:39:44 UTC 2021
On 14/10/21 8:48 am, Markus Moeller wrote:
> The problem lies more in the way how Kerberos proxy authentication
> works. The client uses the proxy name to create a ticket and in this
> case it would be the name of the first proxy e.g. proxy1.internal. The
> first proxy will pass it through to the authenticating proxy for
> authentication proxy2.internal. Now the client receiving a 407 thinks
> that proxy1 asked for authentication (not knowing it is only a
> passthrough) and will ask for a ticket for proxy1, which it can't get as
> proxy1 is not in AD. Even if proxy1 would be in AD, the client would
> send a proxy1 ticket to proxy2 which will be rejected.
>
> Markus
> \
Aha. That make ssense.
Can we get the Kerberos auth wiki page updated with that info? this is
something that has come up a few times.
Cheers
Amos
More information about the squid-users
mailing list