On 14/10/21 8:48 am, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal. The
first proxy will pass it through to the authenticating proxy for
authentication proxy2.internal. Now the client receiving a 407 thinks
that proxy1 asked for authentication (not knowing it is only a
passthrough) and will ask for a ticket for proxy1, which it can't get as
proxy1 is not in AD. Even if proxy1 would be in AD, the client would
send a proxy1 ticket to proxy2 which will be rejected.
Markus
\
Aha. That make ssense.
Can we get the Kerberos auth wiki page updated with that info? this is
something that has come up a few times.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
