kerberos/http+spnego through http proxy server?

robf robf at robf.nl
Sun Nov 30 16:48:29 EST 2003


Sanjay Sane wrote:
> Hello,
> 
> I was testing Http with Kerberos and checking the feasibility of supporting
> this through a HTTP Proxy server.
> 
> From internet draft
> http://www.ietf.org/internet-drafts/draft-brezak-kerberos-http-00.txt, it is
> clear that Microsoft implemented SPNEGO over HTTP, and nicely tied that to
> do full ticket-transmission based Kerberos authentication. One of the
> missing/confusing pieces is the support from IE for Proxy servers.
> Typically, http proxy server is deployed on edge, but used for any
> intranet/internet traffic.
> 
> My questions:
> a. Above draft mentions "This mechanism is not used for HTTP authentication
> to HTTP proxies". Why not? Is this because its not currently implemented in
> IE, or its some kind of a policy decision not to? Any references/guidelines
> as to where we're going with this?
> 
> b. It also mentions the role the Proxy server should play, if infact it
> happens to be between client and server over a Negotiated HTTP connection.
> Specifically, it mentions that "The client MUST NOT utilize the SPNEGO HTTP
> authentication mechanism through a proxy unless the proxy supplies
> "Proxy-support: Session-Based-Authentication" header". Is this support
> present in any of the HTTP proxy servers? Are there any caveats from IE-side
> that do not correctly adhere to such restrictions? Is there a working model
> for this?
> 
> In general, I'm looking for any/all pointers that describe what a HTTP proxy
> server should be doing in order to
> a. maintain the Negotiated secure http connection between client and server.
> b. support Proxy-based Negotiate authentication. Act as a Kerberos client,
> accept tickets (NOT PASSWORDS) from client. Of course, this would need
> support from browsers to be able to pass tickets on a Proxy-Authenticate:
> Negotiate header. Anyone already doing that?
> 
> Thanks in advance,
> Sanjay
> 
> 
Hi ,
Did you already found something usefull about this matter ?

Rob



More information about the Kerberos mailing list