[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Victor Sudakov
sudakov at sibptus.tomsk.ru
Thu Oct 16 16:19:28 UTC 2014
This question is neither exactly squid-related nor Heimdal-related, but
maybe someone guru could shed some light.
I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
On starting MSIE, some Windows hosts request a ticket for the
principal HTTP/proxy.sibptus.transneft.ru" and receive it from the DC
and get authenticated successfully by squid. So far so good.
However, some other Windows hosts when requesting a ticket for
HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
squiduser at SIBPTUS.TRANSNEFT.RU (kerbtray.exe shows this) and therefore
fail to get authenticated by squid.
"squiduser at SIBPTUS.TRANSNEFT.RU" is the AD account to which the SPN
"HTTP/proxy.sibptus.transneft.ru" is bound. But why do they receive a
ticket for a different name than requested, is beyond me.
Has anyone seen anything like this?
The KDC involved is the w2k AD.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list