kerberos/http+spnego through http proxy server?

[Sanjay Sane]

Hello,

I was testing Http with Kerberos and checking the feasibility of supporting
this through a HTTP Proxy server.

>From internet draft
http://www.ietf.org/internet-drafts/draft-brezak-kerberos-http-00.txt, it is
clear that Microsoft implemented SPNEGO over HTTP, and nicely tied that to
do full ticket-transmission based Kerberos authentication. One of the
missing/confusing pieces is the support from IE for Proxy servers.
Typically, http proxy server is deployed on edge, but used for any
intranet/internet traffic.

My questions:
a. Above draft mentions "This mechanism is not used for HTTP authentication
to HTTP proxies". Why not? Is this because its not currently implemented in
IE, or its some kind of a policy decision not to? Any references/guidelines
as to where we're going with this?

b. It also mentions the role the Proxy server should play, if infact it
happens to be between client and server over a Negotiated HTTP connection.
Specifically, it mentions that "The client MUST NOT utilize the SPNEGO HTTP
authentication mechanism through a proxy unless the proxy supplies
"Proxy-support: Session-Based-Authentication" header". Is this support
present in any of the HTTP proxy servers? Are there any caveats from IE-side
that do not correctly adhere to such restrictions? Is there a working model
for this?

In general, I'm looking for any/all pointers that describe what a HTTP proxy
server should be doing in order to
a. maintain the Negotiated secure http connection between client and server.
b. support Proxy-based Negotiate authentication. Act as a Kerberos client,
accept tickets (NOT PASSWORDS) from client. Of course, this would need
support from browsers to be able to pass tickets on a Proxy-Authenticate:
Negotiate header. Anyone already doing that?

Thanks in advance,
Sanjay