<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal">I’ve been trying to get Kerberos
Authentication against AD working but have been seeing
inconsistent results/behaviour across multiple Oses and I’m not
sure if the issue lies with the DNS configuration, Kerberos
itself or with the Squid config:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">THE DNS setup is as follows:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">test.squid.cluster. 3600
IN CNAME test-squid-cluster.dyn-zone.<o:p></o:p></p>
<p class="MsoNormal">test-squid-cluster.dyn-zone. 60 IN A
1.2.3.4<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Where 1.2.3.4 is the IP of one of the servers
in the cluster. The intention is to have multiple Squid servers
behind a single DNS name for high-availability.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is what I’m seeing in the cache log with
my current setup:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Windows:<o:p></o:p></p>
<p class="MsoNormal">negotiate_kerberos_auth.cc(182): pid=668789
:2025/06/16 16:03:01| negotiate_kerb<o:p></o:p></p>
<p class="MsoNormal">eros_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure. Min<o:p></o:p></p>
<p class="MsoNormal">or code may provide more information. Cannot
find key for HTTP/ test-squid-cluster.dyn-zone@REALM kvno 2 in
keytab (request ticket server HTTP/test.squid.cluster@REALM<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Rocky Linux:<o:p></o:p></p>
<p class="MsoNormal">curl -ik -vvv -L --proxy-negotiate -U : -b
~/cookiejar.txt -c ~/cookiejar.txt -x <a class="moz-txt-link-rfc2396E" href="test.squid.cluster:3128" moz-do-not-send="true">"test.squid.cluster:3128"</a> <a href="https://www.bbc.co.uk" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.bbc.co.uk</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">negotiate_kerberos_auth.cc(182): pid=668789
:2025/06/17 08:51:52| negotiate_kerb<o:p></o:p></p>
<p class="MsoNormal">eros_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure. Min<o:p></o:p></p>
<p class="MsoNormal">2025/06/17 08:51:52| negotiate_kerberos_auth:
INFO: User not authenticated<o:p></o:p></p>
<p class="MsoNormal">2025/06/17 08:51:52.964 kid1| ERROR:
Negotiate Authentication validating user. R<o:p></o:p></p>
<p class="MsoNormal">esult: {result=BH, notes={message:
gss_accept_sec_context() failed: Unspecified<o:p></o:p></p>
<p class="MsoNormal">er <a href="mailto:HTTP/marmalade.cache.ed.ac.uk@ED.AC.UK" moz-do-not-send="true">HTTP/server1@</a>REALM); }}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">klist -e<o:p></o:p></p>
<p class="MsoNormal">Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_138460_vF4BWcMsZu" moz-do-not-send="true">FILE:/tmp/krb5cc_138460_vF4BWcMsZu</a><o:p></o:p></p>
<p class="MsoNormal">Default principal: <a href="mailto:ext6033@ED.AC.UK" moz-do-not-send="true" class="moz-txt-link-freetext">ext6033@ED.AC.UK</a><o:p></o:p></p>
<p class="MsoNormal">17/06/25 08:51:44 17/06/25 18:51:24
krbtgt/REALM@REALM<o:p></o:p></p>
<p class="MsoNormal"> Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96<o:p></o:p></p>
<p class="MsoNormal">17/06/25 08:51:52 17/06/25 18:51:24
HTTP/server@<o:p></o:p></p>
<p class="MsoNormal"> Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96<o:p></o:p></p>
<p class="MsoNormal"> Ticket server: server/REALM@REALM<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">With the same behaviour if I use the Dynamic
Zone record in the curl command i.e.<o:p></o:p></p>
<p class="MsoNormal">curl -ik -vvv -L --proxy-negotiate -U : -b
~/cookiejar.txt -c ~/cookiejar.txt -x <a class="moz-txt-link-rfc2396E" href="test-squid-cluster.dyn-zone:3128" moz-do-not-send="true">"
test-squid-cluster.dyn-zone:3128"</a> <a href="https://www.bbc.co.uk" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.bbc.co.uk</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p>Ubuntu 24.04</o:p></p>
<p class="MsoNormal"><o:p>curl -ik -vvv -L --proxy-negotiate -U :
-b ~/cookiejar.txt -c ~/cookiejar.txt -x <a class="moz-txt-link-rfc2396E" href="test.squid.cluster:3128" moz-do-not-send="true">"test.squid.cluster:3128"</a> <a class="moz-txt-link-rfc2396E" href="https://www.bbc.co.uk" moz-do-not-send="true">"https://www.bbc.co.uk"</a> works</o:p></p>
<p class="MsoNormal"><o:p><br>
</o:p></p>
<p class="MsoNormal"><o:p>negotiate_kerberos_auth.cc(815):
pid=668789 :2025/06/18 09:11:17| negotiate_kerberos_auth:
DEBUG: OK
token=oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvJ1BxA5rnZjKbfBVE0YqUlnYx7oLguj09HLH4SJRumUjWWXh99B/4X72vpFqCXeOKmvzSDlWG0Io1ZjQxNOxqni4sFx8exojIzg4aIWKAcYB21OHr9m0T9dfymDVoV61Cofyq38fUaN5Loen9YX0h
user=account<br>
2025/06/18 09:11:17| negotiate_kerberos_auth: INFO: User
account authenticated<br>
</o:p></p>
<p class="MsoNormal"><o:p><br>
</o:p></p>
<p class="MsoNormal"><o:p>klist -e<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_1001_7KsHEg" moz-do-not-send="true">FILE:/tmp/krb5cc_1001_7KsHEg</a><br>
Default principal: account@REALM<br>
<br>
Valid starting Expires Service principal<br>
06/18/25 09:10:09 06/18/25 19:10:09 krbtgt/REALM@REALM<br>
renew until 06/19/25 09:09:36, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br>
06/18/25 09:11:17 06/18/25 19:10:09
HTTP/test-squid-cluster.dyn-zone@<br>
renew until 06/19/25 09:09:36, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br>
</o:p></p>
<p class="MsoNormal"><br>
<o:p></o:p></p>
<p class="MsoNormal"><o:p>curl -ik -vvv -L --proxy-negotiate -U :
-b ~/cookiejar.txt -c ~/cookiejar.txt -x <a class="moz-txt-link-rfc2396E" href="test-squid-cluster.dyn-zone:3128" moz-do-not-send="true">"test-squid-cluster.dyn-zone:3128"</a>
<a class="moz-txt-link-rfc2396E" href="https://www.bbc.co.uk" moz-do-not-send="true">"https://www.bbc.co.uk"</a></o:p></p>
<p class="MsoNormal"><o:p><br>
</o:p></p>
<p class="MsoNormal"><o:p>Works as well<br>
</o:p></p>
<p class="MsoNormal"><o:p>klist -e<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_1001_7KsHEg" moz-do-not-send="true">FILE:/tmp/krb5cc_1001_7KsHEg</a><br>
Default principal: account@REALM<br>
<br>
Valid starting Expires Service principal<br>
06/18/25 09:17:11 06/18/25 19:17:11 krbtgt/REAM@REALM<br>
renew until 06/19/25 09:16:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br>
06/18/25 09:17:38 06/18/25 19:17:11
HTTP/test-squid-cluster.dyn-zone@<br>
renew until 06/19/25 09:16:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br>
Ticket server: <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:HTTP/test-exams-cache.www-dyn.ed.ac.uk@ED.AC.UK" moz-do-not-send="true">HTTP/test-exams-cache.www-dyn.ed.ac.uk@ED.AC.UK</a><br>
</o:p></p>
<p class="MsoNormal"><o:p><br>
</o:p></p>
<p class="MsoNormal">Mac (Sequoia 15.5)<o:p></o:p></p>
<p class="MsoNormal">curl -ik -vvv -L --proxy-negotiate -U : -b
~/cookiejar.txt -c ~/cookiejar.txt -x <a class="moz-txt-link-rfc2396E" href="test.squid.cluster.dyn-zone:3128" moz-do-not-send="true">"test.squid.cluster.dyn-zone:3128"</a>
<a href="https://www.bbc.co.uk" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.bbc.co.uk</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2025/06/17 09:32:26| negotiate_kerberos_auth:
INFO: User not authenticated<o:p></o:p></p>
<p class="MsoNormal">2025/06/17 09:32:26.600 kid1| ERROR:
Negotiate Authentication validating user. R<o:p></o:p></p>
<p class="MsoNormal">esult: {result=BH, notes={message:
gss_accept_sec_context() failed: Unspecified<o:p></o:p></p>
<p class="MsoNormal">GSS failure. Minor code may provide more
information. Cannot find key for HTTP/<o:p></o:p></p>
<p class="MsoNormal">test-squid-cluster.dyn-zone@REALM kvno 2 in
keytab (request ticket serv<o:p></o:p></p>
<p class="MsoNormal">er <a href="mailto:HTTP/test.squid.cluster@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test.squid.cluster@</a>REALM);
}}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">klist -v<o:p></o:p></p>
<p class="MsoNormal">Server: <a href="mailto:HTTP/test.squid.cluster@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test.squid.cluster@</a>REALM<o:p></o:p></p>
<p class="MsoNormal">Client: account@REALM<o:p></o:p></p>
<p class="MsoNormal">Ticket etype: aes256-cts-hmac-sha1-96, kvno 2<o:p></o:p></p>
<p class="MsoNormal">Ticket length: 1690<o:p></o:p></p>
<p class="MsoNormal">Auth time: Jun 17 09:32:17 2025<o:p></o:p></p>
<p class="MsoNormal">Start time: Jun 17 09:32:26 2025<o:p></o:p></p>
<p class="MsoNormal">End time: Jun 17 19:31:56 2025<o:p></o:p></p>
<p class="MsoNormal">Ticket flags: enc-pa-rep, pre-authent,
forwardable<o:p></o:p></p>
<p class="MsoNormal">Addresses: addressless<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">curl -ik -vvv -L --proxy-negotiate -U : -b
~/cookiejar.txt -c ~/cookiejar.txt -x <a class="moz-txt-link-rfc2396E" href="test-squid-cluster.dyn.zone:3128" moz-do-not-send="true">"test-squid-cluster.dyn.zone:3128"</a>
<a href="https://www.bbc.co.uk" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.bbc.co.uk</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Successful:<o:p></o:p></p>
<p class="MsoNormal">2025/06/17 09:36:38| negotiate_kerberos_auth:
INFO: User account authenticated<o:p></o:p></p>
<p class="MsoNormal">2025/06/17 09:36:38.165 kid1| 82,2|
external_acl.cc(700) aclMatchExternal: ldap_group = ALLOWED<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Klist -v<o:p></o:p></p>
<p class="MsoNormal">Server: <a href="mailto:krbtgt/ED.AC.UK@ED.AC.UK" moz-do-not-send="true">krbtgt/REALM@</a>REALM<o:p></o:p></p>
<p class="MsoNormal">Client: account@REALM <o:p></o:p></p>
<p class="MsoNormal">Ticket etype: aes256-cts-hmac-sha1-96, kvno
11<o:p></o:p></p>
<p class="MsoNormal">Ticket length: 1683<o:p></o:p></p>
<p class="MsoNormal">Auth time: Jun 17 09:36:31 2025<o:p></o:p></p>
<p class="MsoNormal">End time: Jun 17 19:36:23 2025<o:p></o:p></p>
<p class="MsoNormal">Ticket flags: enc-pa-rep, pre-authent,
initial, forwardable<o:p></o:p></p>
<p class="MsoNormal">Addresses: addressless<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Server: <a href="mailto:HTTP/test-squid-cluster.dyn.zone@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test-squid-cluster.dyn.zone@</a>REALM<o:p></o:p></p>
<p class="MsoNormal">Client: <a href="mailto:ext6033@ED.AC.UK" moz-do-not-send="true">account@</a>REALM<o:p></o:p></p>
<p class="MsoNormal">Ticket etype: aes256-cts-hmac-sha1-96, kvno 1<o:p></o:p></p>
<p class="MsoNormal">Ticket length: 1698<o:p></o:p></p>
<p class="MsoNormal">Auth time: Jun 17 09:36:31 2025<o:p></o:p></p>
<p class="MsoNormal">Start time: Jun 17 09:36:38 2025<o:p></o:p></p>
<p class="MsoNormal">End time: Jun 17 19:36:23 2025<o:p></o:p></p>
<p class="MsoNormal">Ticket flags: enc-pa-rep, pre-authent,
forwardable<o:p></o:p></p>
<p class="MsoNormal">Addresses: addressless<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The relevant parts of the squid.conf are:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">http_port 3128<o:p></o:p></p>
<p class="MsoNormal">cache_mem 256 mb<o:p></o:p></p>
<p class="MsoNormal">maximum_object_size_in_memory 512 KB<o:p></o:p></p>
<p class="MsoNormal">maximum_object_size 2048 mb<o:p></o:p></p>
<p class="MsoNormal">cache_dir ufs /var/spool/squid 51200 16 256<o:p></o:p></p>
<p class="MsoNormal">debug_options ALL,2<o:p></o:p></p>
<p class="MsoNormal">visible_hostname test-squid-cluster.dyn.zone<o:p></o:p></p>
<p class="MsoNormal">unique_hostname server1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">refresh_pattern . 0 20%
4320 ignore-reload<o:p></o:p></p>
<p class="MsoNormal">auth_param basic children 10<o:p></o:p></p>
<p class="MsoNormal">auth_param negotiate program
/usr/lib64/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP.keytab -s <a href="mailto:HTTP/test-squid-cluster.dyn.zone@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test-squid-cluster.dyn.zone@</a>REALM
-d -i -r<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">(We also have LDAP basic auth configured as a
fallback which works as expected but modern Windows clients no
longer support basic auth for proxy servers).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">klist -k /etc/squid/HTTP.keytab<o:p></o:p></p>
<p class="MsoNormal">Keytab name: <a class="moz-txt-link-freetext" href="FILE:/etc/squid/HTTP.keytab" moz-do-not-send="true">FILE:/etc/squid/HTTP.keytab</a><o:p></o:p></p>
<p class="MsoNormal">KVNO Principal<o:p></o:p></p>
<p class="MsoNormal">----
--------------------------------------------------------------------------<o:p></o:p></p>
<p class="MsoNormal"> 1 <a href="mailto:TESTEXAMSCACHE@ED.AC.UK" moz-do-not-send="true">TESTSQUIDCACHE@</a>REALM<o:p></o:p></p>
<p class="MsoNormal"> 1 <a href="mailto:TESTEXAMSCACHE@ED.AC.UK" moz-do-not-send="true">TESTSQUIDCACHE@</a>REALM<o:p></o:p></p>
<p class="MsoNormal"> 1 <a href="mailto:TESTEXAMSCACHE@ED.AC.UK" moz-do-not-send="true">TESTSQUIDCACHE@</a>REALM<o:p></o:p></p>
<p class="MsoNormal"> 1 <a href="mailto:HTTP/test-squid-cache.dyn.zone@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test-squid-cache.dyn.zone@</a>REALM<o:p></o:p></p>
<p class="MsoNormal"> 1 <a href="mailto:HTTP/test-squid-cache.dyn.zone@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test-squid-cache.dyn.zone@</a>REALM<o:p></o:p></p>
<p class="MsoNormal"> 1 <a href="mailto:HTTP/test-squid-cache.dyn.zone@" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test-squid-cache.dyn.zone@</a>REALM<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">/etc/hosts<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">1.2.3.4
server1.cache server1 test-squid-cache.dyn.zone
test.squid.cluster<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Finally
the keytab was generated using msktutil e.g.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">msktutil
-c -h test-squid-cache.dyn.zone -b
'OU=Managed-Linux,OU=Infrastructure' --computer-name
TESTSQUIDCACHE -s HTTP/test-squid-cache.dyn.zone -k
/etc/squid/HTTP.keytab --server domain.controller --realm
REALM --use-service-account --dont-expire-password --upn <a href="mailto:HTTP/test-squid-cache.dyn.zone@REALM" moz-do-not-send="true" class="moz-txt-link-freetext">HTTP/test-squid-cache.dyn.zone@REALM</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">This
works fairly well/reliably if we use a keytab containing the
HTTP/fqdn of the server itself i.e. HTTP/server1 AND connect
using curl using the FQDN of server1 but we need resiliency
and high-availability so having a single-host service would
be a last resort.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Any
ideas on where I’m going wrong or what I need to add in
terms of DNS/keytab entries? Also some of the clients
attempt to use key versions which have never been issued
e.g. kvno 4? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Kind
regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">--<br>
/****************************<br>
<br>
Mark Cairney<br>
ITI Enterprise Services<br>
Information Services<br>
University of Edinburgh<br>
<br>
Tel: 0131 650 6565<br>
Email: </span><u><span style="color:#0078D7;mso-ligatures:none;mso-fareast-language:EN-GB"><a href="mailto:Mark.Cairney@ed.ac.uk" moz-do-not-send="true" class="moz-txt-link-freetext">Mark.Cairney@ed.ac.uk</a></span></u><span style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><br>
<br>
*******************************/<br>
<br>
The University of Edinburgh is a charitable body, registered
in Scotland, with registration number SC005336.</span><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="Rectangle_x0020_1" o:spid="_x0000_s1026" type="#_x0000_t75" alt="signature_2526785256" style='width:24pt;height:24pt;visibility:visible;mso-left-percent:-10001;mso-top-percent:-10001;mso-position-horizontal:absolute;mso-position-horizontal-relative:char;mso-position-vertical:absolute;mso-position-vertical-relative:line;mso-left-percent:-10001;mso-top-percent:-10001'>
<w:wrap type="none"/>
<w:anchorlock/>
</v:shape><![endif]--><!--[if !vml]--><img width="32" height="32" style="width:.3333in;height:.3333in" src="cid:part1.KdLH54j0.oiqMwKoQ@ed.ac.uk" alt="signature_2526785256" v:shapes="Rectangle_x0020_1" class=""><!--[endif]--><o:p></o:p></p>
</div>
</div>
</body>
</html>