[squid-users] Kerberos authentication with multiple squids

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 14 09:39:44 UTC 2021


On 14/10/21 8:48 am, Markus Moeller wrote:
> The problem lies more in the way how Kerberos proxy authentication 
> works. The client uses the proxy name to create a ticket and in this 
> case it would be the name of the first proxy e.g. proxy1.internal.  The 
> first proxy will pass it through to the authenticating proxy for 
> authentication proxy2.internal. Now the client receiving a 407 thinks 
> that proxy1 asked for authentication (not knowing it is only a 
> passthrough) and will ask for a ticket for proxy1, which it can't get as 
> proxy1 is not in AD.  Even if proxy1 would be in AD, the client would 
> send a proxy1 ticket to proxy2 which will be rejected.
> 
> Markus
> \

Aha. That make ssense.

Can we get the Kerberos auth wiki page updated with that info? this is 
something that has come up a few times.


Cheers
Amos


More information about the squid-users mailing list