[squid-users] Kerberos authentication on mobile phones

Markus Moeller huaraz at moeller.plus.com
Fri May 11 18:49:07 UTC 2018


You don't have to join a domain.  You only need a Kerberos authentication 
server to get a ticket.

You only need AD (or Samba) if you want also authorisation (PAC data) in you 
Kerberos ticket.

As Amos said you need a Kerberos client and a Browser supporting 
Proxy-Negotiate.

Markus

"Amos Jeffries"  wrote in message 
news:36775d21-090a-e22a-bec0-78edc57541a9 at treenet.co.nz...

On 08/05/18 10:22, Panagiotis Bariamis wrote:
> Hello,
> Is it possible with a squid kerberos only authentication  setup be able
> to authenticate ie android phones to squid?

I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it yourself.


> A second question. If a non domain joined machine tries to use the proxy
> will there be a username password prompt where if correct credentials
> are presented he will be able to get a ticket to use squid?

Maybe, unlikely though IMO. Getting a ticket requires first joining the
domain. Some client software may provide a popup and then try to contact
a DC and join a domain.

But whether a) the specific client software does that, and b) whether
info about the domain DC server is available in DNS records, and c)
whether the Kerberos realm "domain" matches the proxy DNS record domain
- all those effect the possibilities AFAIK.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list