Hello, I was testing Http with Kerberos and checking the feasibility of supporting this through a HTTP Proxy server.
>From internet draft http://www.ietf.org/internet-drafts/draft-brezak-kerberos-http-00.txt, it is clear that Microsoft implemented SPNEGO over HTTP, and nicely tied that to do full ticket-transmission based Kerberos authentication. One of the missing/confusing pieces is the support from IE for Proxy servers. Typically, http proxy server is deployed on edge, but used for any intranet/internet traffic. My questions: a. Above draft mentions "This mechanism is not used for HTTP authentication to HTTP proxies". Why not? Is this because its not currently implemented in IE, or its some kind of a policy decision not to? Any references/guidelines as to where we're going with this? b. It also mentions the role the Proxy server should play, if infact it happens to be between client and server over a Negotiated HTTP connection. Specifically, it mentions that "The client MUST NOT utilize the SPNEGO HTTP authentication mechanism through a proxy unless the proxy supplies "Proxy-support: Session-Based-Authentication" header". Is this support present in any of the HTTP proxy servers? Are there any caveats from IE-side that do not correctly adhere to such restrictions? Is there a working model for this? In general, I'm looking for any/all pointers that describe what a HTTP proxy server should be doing in order to a. maintain the Negotiated secure http connection between client and server. b. support Proxy-based Negotiate authentication. Act as a Kerberos client, accept tickets (NOT PASSWORDS) from client. Of course, this would need support from browsers to be able to pass tickets on a Proxy-Authenticate: Negotiate header. Anyone already doing that? Thanks in advance, Sanjay ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
