Sanjay Sane wrote: > Hello, > > I was testing Http with Kerberos and checking the feasibility of supporting > this through a HTTP Proxy server. > > From internet draft > http://www.ietf.org/internet-drafts/draft-brezak-kerberos-http-00.txt, it is > clear that Microsoft implemented SPNEGO over HTTP, and nicely tied that to > do full ticket-transmission based Kerberos authentication. One of the > missing/confusing pieces is the support from IE for Proxy servers. > Typically, http proxy server is deployed on edge, but used for any > intranet/internet traffic. > > My questions: > a. Above draft mentions "This mechanism is not used for HTTP authentication > to HTTP proxies". Why not? Is this because its not currently implemented in > IE, or its some kind of a policy decision not to? Any references/guidelines > as to where we're going with this? > > b. It also mentions the role the Proxy server should play, if infact it > happens to be between client and server over a Negotiated HTTP connection. > Specifically, it mentions that "The client MUST NOT utilize the SPNEGO HTTP > authentication mechanism through a proxy unless the proxy supplies > "Proxy-support: Session-Based-Authentication" header". Is this support > present in any of the HTTP proxy servers? Are there any caveats from IE-side > that do not correctly adhere to such restrictions? Is there a working model > for this? > > In general, I'm looking for any/all pointers that describe what a HTTP proxy > server should be doing in order to > a. maintain the Negotiated secure http connection between client and server. > b. support Proxy-based Negotiate authentication. Act as a Kerberos client, > accept tickets (NOT PASSWORDS) from client. Of course, this would need > support from browsers to be able to pass tickets on a Proxy-Authenticate: > Negotiate header. Anyone already doing that? > > Thanks in advance, > Sanjay > > Hi , Did you already found something usefull about this matter ?
Rob ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
