RE: [squid-users] Specifiying SPN(targetname) for Proxy Auth Negotiate

From: James Mackie <James.Mackie_at_virginaustralia.com>
Date: Thu, 31 May 2012 05:53:05 +0000

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Wednesday, May 30, 2012 8:05 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Specifiying SPN(targetname) for Proxy Auth
> Negotiate
>
> On 30/05/2012 8:13 p.m., James Mackie wrote:
> > Hi all,
> >
> > I would like to be able to specify in the Proxy-Authenticate challenge
> header, which SPN (or targetname) I would like the browser to request a
> ticket for.
> >
> > After doing some searching I found a document on the MSDN site that
> > seems to indicate you can specify it for the 'Kerberos' auth mechanism
> > (http://msdn.microsoft.com/en-
> us/library/cc246225%28v=prot.10%29.aspx)
> >
> > "Authentication is enabled at the outbound server, and it challenges Alice's
> client. The server indicates support for NTLM and Kerberos in the challenge.
> > SIP/2.0 407 Proxy Authentication Required
>
> Notice this is the SIP/2.0 protocol. Squid is an HTTP proxy. There is no RFC
> specification for use of Kerberos scheme name within HTTP.

I did notice this, and I know that HTTP only uses "NEGOTIATE" in the specification, I was just wondering if anyone had managed to do something similar with NEGOTIATE protocol, as what the KERBEROS protocol does above.

>
> > Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK7
> > From: "Alice"<sip:Alice_at_contoso.com>;tag=354354535;epid=6534555
> > To: "Alice"<sip:Alice_at_contoso.com>;tag=5564566
> > Call-ID: 123213_at_Alice1.contoso.com
> > CSeq: 12345 REGISTER
> > Date: Sat, 13 Nov 2010 23:29:00 GMT
> > Proxy-Authenticate: Kerberos realm="Contoso RTC Service Provider",
> > targetname="sip/hs1.contoso.com", qop="auth"
> > Proxy-Authenticate: NTLM realm="Contoso RTC Service Provider",
> > targetname="hs1.contoso.com", qop="auth"
> > Content-Length: 0
> > The targetname parameter carries the SPN for this proxy for Kerberos and
> the FQDN of the proxy for NTLM. The actual contents of this parameter must
> be meaningful for this proxy but are opaque to other proxies and the client.
> It is merely a unique string for correlation of the message header to an SA.
> Two Proxy-Authenticate: headers are present, indicating the server's
> capability to do one of Kerberos or NTLM. "
> >
> > I was wondering if anyone has any experience with what I am trying to do.
>
> Squid supports validating Kerberos security via the Negotiate scheme
> mehanisms, but does not have configuration support for the Kerberos
> scheme name at this time.
>
Fair enough, thanks for the answers.

> Amos
The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
Received on Thu May 31 2012 - 05:53:16 MDT

This archive was generated by hypermail 2.2.0 : Thu May 31 2012 - 12:00:05 MDT