[squid-users] Specifiying SPN(targetname) for Proxy Auth Negotiate

From: James Mackie <James.Mackie_at_virginaustralia.com>
Date: Wed, 30 May 2012 08:13:32 +0000

Hi all,

I would like to be able to specify in the Proxy-Authenticate challenge header, which SPN (or targetname) I would like the browser to request a ticket for.

After doing some searching I found a document on the MSDN site that seems to indicate you can specify it for the 'Kerberos' auth mechanism (http://msdn.microsoft.com/en-us/library/cc246225%28v=prot.10%29.aspx)

"Authentication is enabled at the outbound server, and it challenges Alice's client. The server indicates support for NTLM and Kerberos in the challenge.
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK7
From: "Alice" <sip:Alice_at_contoso.com>;tag=354354535;epid=6534555
To: "Alice" <sip:Alice_at_contoso.com>;tag=5564566
Call-ID: 123213_at_Alice1.contoso.com
CSeq: 12345 REGISTER
Date: Sat, 13 Nov 2010 23:29:00 GMT
Proxy-Authenticate: Kerberos realm="Contoso RTC Service Provider",
   targetname="sip/hs1.contoso.com", qop="auth"
Proxy-Authenticate: NTLM realm="Contoso RTC Service Provider",
   targetname="hs1.contoso.com", qop="auth"
Content-Length: 0
The targetname parameter carries the SPN for this proxy for Kerberos and the FQDN of the proxy for NTLM. The actual contents of this parameter must be meaningful for this proxy but are opaque to other proxies and the client. It is merely a unique string for correlation of the message header to an SA. Two Proxy-Authenticate: headers are present, indicating the server's capability to do one of Kerberos or NTLM. "

I was wondering if anyone has any experience with what I am trying to do.

Regards,
James
The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
Received on Wed May 30 2012 - 08:13:42 MDT

This archive was generated by hypermail 2.2.0 : Wed May 30 2012 - 12:00:06 MDT