Re: [squid-users] generic kerberos support in 2.6?

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 14 Dec 2006 01:35:44 +0100

mån 2006-12-11 klockan 23:37 -0500 skrev Brian J. Murrell:

> But my suggestion of using ntlm_auth was not so much in it's binary form
> but as a source of SPNEGO handling. IIUC, ntlm_auth takes the SPNEGO
> blob from the client via squid and unpacks it and does the NTLM auth
> with the MS Goop(tm) doesn't it?

It does, but it also does the Kerberos Goop(tm) when it was a Kerberos
request and not NTLM...

For those unaware of the protocols SPNEGO is a Microsoft wrapper around
all the other security service providers in Windows, allowing client and
server to negotiate which authentication scheme to use. As such it
encapsulates both NTLM and Kerberos authentication. In HTTP Microsoft
for some reason calls this wrapper scheme for Negotiate while everywhere
else it's SPNEGO from the wrapper security service provider name..

Regards
Henrik

Received on Wed Dec 13 2006 - 17:35:53 MST

This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST