|
The topology for the setup is as below:
Client ---------- FPX1 ---------- FPX2 --------- Internet
- FPX1 is configured with the Kerberos authentication method.
- FPX2 is configured with the NTLM authentication method.
In this scenario, the client will pass the Kerberos authentication on FPX1, then FPX1 forwards the traffic to FPX2.
The PX2 has the NTLM authentication configured, hence, it will send the HTTP 407 (Proxy Authentication Required) back to the client.
The flow will fail as the client browser will not be aware there are 2 explicit proxies exist, and it will get confused as it is already authenticated with FPX1.
FPX1 will not forward the Proxy-Authorization header to FPX2 to prevent a potential credential leak. Hence, it is not possible to achieve this setup with dual mix authentication.
The supported setup performs authentication on FPX1 while FPX2 performs the authorization by utilizing the x-auth-user header.
This is documented in below this related document:
Configuring X-Auth-User authentication
The example in the document is using basic authentication, it also works well for NTLM and Kerberos authentication methods.
|
