Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access



Similar documents
Installing Squid with Active Directory Authentication

INUVIKA TECHNICAL GUIDE

Configure the Application Server User Account on the Domain Server

Univention Corporate Server. Extended domain services documentation

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Single Sign-On Using SPNEGO

Network Startup Resource Center

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Using Active Directory as your Solaris Authentication Source

SSSD Active Directory Improvements

RHEL Clients to AD Integrating RHEL clients to Active Directory

Kerberos and Windows SSO Guide Jahia EE v6.1

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Active Directory 2008 Implementation. Version 6.410

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

Attunity RepliWeb PAM Configuration Guide

Windows Enterprise OU Administrator Tips. Integrating RHEL5 Systems with Active Directory

SUSE Manager 1.2.x ADS Authentication

Chapter Thirteen (b): Using Active Directory Integration

Active Directory 2008 Implementation Guide Version 6.3

Security Provider Integration Kerberos Authentication

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Active Directory Integration

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

v7.8.2 Release Notes for Websense Content Gateway

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

CYAN SECURE WEB HOWTO. NTLM Authentication

Using Kerberos tickets for true Single Sign On

Charles Firth Managing Macs in a Windows World

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

INTRODUCING SAMBA 4 NOW, EVEN MORE AWESOMENESS

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

BusinessObjects 4.0 Windows AD Single Sign on Configuration

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

How to Configure Captive Portal

Configuring Sponsor Authentication

Getting Started Guide

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

User Guide. You will be presented with a login screen which will ask you for your username and password.

(june > this is version 3.025a)

IIS, FTP Server and Windows

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

How to Join QNAP NAS to Microsoft Active Directory (AD)

Active Directory Integration

Centrify Identity and Access Management for Cloudera

Linux Squid Proxy Server

ULTEO OPEN VIRTUAL DESKTOP UBUNTU (PRECISE PANGOLIN) SUPPORT

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Other documents in this series are available at: servernotes.wazmac.com

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

FreeIPA - Open Source Identity Management in Linux

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

NETASQ SSO Agent Installation and deployment

exacqvision Web Service User Manual (updated April 04, 2016)

Macintosh Clients and Windows Print Queues

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

WEBTITAN CLOUD. User Identification Guide BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES

VMware Identity Manager Administration

Creating a DUO MFA Service in AWS

RSA Security Analytics

Create a virtual machine at your assigned virtual server. Use the following specs

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Juniper Networks Secure Access Kerberos Constrained Delegation

SchoolBooking SSO Integration Guide

Integrating Red Hat Enterprise Linux 6 with Active Directory. Mark Heslin Principal Software Engineer

exacqvision Web Service User Manual (updated December 15, 2014)

FreeIPA v3: Trust Basic trust setup

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

User-ID Configuration

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

User Guide. Cloud Gateway Software Device

Quickstart guide to Authentication

Perforce Helix Threat Detection OVA Deployment Guide

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

How-to: Single Sign-On

Configuring MailArchiva with Insight Server

INUVIKA OVD INSTALLING INUVIKA OVD ON UBUNTU (TRUSTY TAHR)

NetSpective Global Proxy Configuration Guide

1 Introduction. Windows Server & Client and Active Directory.

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Active Directory and Linux Identity Management

Blue Coat Security First Steps Solution for Integrating Authentication

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

Active Directory integration with CloudByte ElastiStor

TIBCO ActiveMatrix BPM Single Sign-On

Linux Development Environment Description Based on VirtualBox Structure

User-ID Best Practices

Kerberos and Active Directory symmetric cryptography in practice COSC412

SAP SINGLE SIGN-ON AND SECURE CONNECTIONS VIA SNC ADAPTER. Author : Matthias Schlarb, REALTECH system consulting GmbH. matthias.schlarb@realtech.

Transcription:

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Contents Introduction 3 To Configure 4 Squid Server... 4 Windows Domain Controller... 4 Configuration 4 DNS... 4 NTP... 5 SQUID Install... 5 Kerberos Install and Configure... 5 Install... 5 Configure... 5 Test... 6 Samba Winbind... 6 Install... 6 Configure... 6 More Config with net ads command... 7 Set Permissions... 8 Cron Computer Account Password Update... 8 Basic Authentication Configuration... 8 Install negotiate_wrapper... 9 SQUID Configuration... 10 Authentication Config... 10 ICAP Config... 11 User Machines... 12 Chrome... 12 Firefox Browser... 13 Safari (Apple Devices)... 13 Checking the Squid Log... 14 And Finally... 14 References:... 14 ~ 1 ~

Who Date Change Version Mark Dearlove 19 Jul 2012 Initial Draft 1.0 ~ 2 ~

Introduction The primary motivation for writing this document was to show how Squid can be setup to pass Active Directory (AD) user names to SurfProtect so that customers can have more granular control over web activity in their network. The whole process of getting AD information to SurfProtect expects the customer to use our SurfProtect ICAP service. This needs to be configured within an ICAP capable client like the NETASQ U70 appliance or in this scenario Squid proxy. More information about the U70 UTM can be found here - http://www.netasq.com/en/firewall-services/u30-u70.php One disadvantage that should be noted is that Squid can only pass AD usernames and NOT AD user groups associated with the person requesting the webpage. User groups would be a more natural level to apply a SurfProtect profile. Although this is not a major problem, you may find that you have to tackle the best approach to authentication of users one login that one group of users can use or individual usernames for all users? SurfProtect can apply a blanket profile to users whose names are not recognised or listed against a particular profile. Then all that is left to deal with are the exceptions to the standard profile rule where you would actually add specific usernames to a profile for their personal requirements. Please note that my experience of setting this up was taken from several documents on the internet in which I found some of the steps listed worked and others didn t, so what you have here is the parts that did work. There are links to the websites I used at the end of the document. The information provided here is as-is with no support or guarantee of suitability. ~ 3 ~

To Configure For this magic to work we will need to configure: DNS NTP Kerberos Squid 3.1.19 Samba Winbind OPTIONAL (SurfProtect ICAP Service details in Squid) User computer proxy settings Squid Server Before we start installing various packages onto our server, I used Ubuntu 12.04 LTS (Precise Pangolin), which can be obtained from http://gb.releases.ubuntu.com/12.04/ Windows Domain Controller Our installation has Windows 2008 R2 Standard Edition Configuration DNS On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution: 1. vi /etc/resolvconf/resolv.conf.d/head add domain your.ad.domain.name.here 2. vi /etc/resolvconf/resolv.conf.d/base add search your.ad.domain.name.here nameserver IP for your DNS server 3. resolvconf u 4. cat /etc/resolv.conf to ensure that the items have been added. Ping an internal and external hostname to ensure DNS is operating. ping wdc.your.ad.domain -c 4 && ping google.com -c 4 Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS. dig -x IP OF YOUR SQUID SERVER dig -x IP OF YOUR WINDOWS PRIMARY DOMAIN CONTROLLER The ANSWER SECTION should contain the DNS name of wdc.your.ad.domain and of wdc.your.ad.domain Important: If either lookup fails do not proceed until fixed or authentication may fail. ~ 4 ~

NTP Time needs to be synchronised with Windows Domain Controllers for authentication, configure the proxy to obtain time from them and test to ensure they are working as expected. vi /etc/ntp.conf.d/head add server IP TO YOUR WDC iburst server ntp1.your.ad.domain iburst iburst option will allow faster time sync ( i.e. 10-15 seconds instead of 5-9 minutes) in our case this difference comes in handy. After saving the file issue the following command to check the config and restart the service: chkconfig ntp on service ntp start Check the status of the time sync with the following commands: ntptrace, ntpdc (listpeers, monlist, sysinfo,ctlstats) SQUID Install We will only install squid3 at this point and configure it later. Install with: apt-get install squid3 ldap-utils Kerberos Install and Configure Install apt-get install krb5-user libkrb53 libsasl2-modules-gssapi-mit libsasl2-modules Configure vi /etc/krb5.conf Add/update the file so the lines below are present [libdefaults] default_realm = YOUR.AD.DOMAIN.IN.CAPITALS dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] YOUR.AD.DOMAIN.IN.CAPITALS = { } kdc = dc1.your.ad.domain.here admin_server = dc1.your.ad.domain.here default_domain = your.ad.domain.here ~ 5 ~

[domain_realm].your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS Test Using the command below you can test If the link to the domain controller is working: Kinit some_domain_user Replace some_domain_user with a valid login name from your AD Domain When prompted enter the Windows password for the chosen account. If all is well no response will be shown. Example Error when password is wrong kinit: Preauthentication failed while getting initial credentials To confirm that the authentication has worked type: klist The result of this command if all is well will look something like: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: some_account_name@your.ad.domain.here Valid starting Expires Service principal 19/07/12 16:03:57 20/07/12 02:04:05 krbtgt/your.ad.domain.here@your.ad.domain.here renew until 20/07/12 16:03:57 Samba Winbind Install apt-get install samba winbind samba-common-bin Configure Stop both services with: service smbd stop service winbindstop Edit the Samba Config file: vi /etc/samba/smb.conf Alter the sections in the file to include: workgroup = YOUR.AD.DOMAIN SHORT NAME HERE security = ads realm = YOUR.AD.DOMAIN.HERE.IN.CAPITAL password server = DOMAIN CONTROLLER IP workgroup = SHORT AD DOMAIN NAME netbios name = SQUIDPROXY-K winbind enum groups = yes ~ 6 ~

winbind enum users = yes winbind use default domain = yes Note in the example above we have called the Squid Proxy server SQUIDPROXY-K for the short name used in Active Directory More Config with net ads command The net ads command allows us to interact with Active Directory. We will now use a command to join our machine to the domain Issue the following commands to join Active Directory and to Validate net ads join -U Administrator net rpc join -U Administrator If you look on your Domain controller you should have a Computer Account in your Active Directory Users and Computers admin screen. Test Active directory Join net ads testjoin -U Administrator Validate Kerberos Server Keytab net ads keytab list -U Administrator Check trusted domains net rpc trustdom list -U Administrator List Active Directory Users net ads user -U Administrator List Active Directory Groups net ads group -U Administrator chkconfig winbind on service winbind start Check authentication ~ 7 ~

wbinfo -a winbind%password Check AD domain wbinfo -D domain Check Trust Secrets via RPC wbinfo t Check user information translation wbinfo -i some_ad_username List AD Users wbinfo u List AD Groups wbinfo -g Please note that in one set of instructions on the internet there was the use of a program called msktutil which was a pain from the outset no package to install AND when a package was found for this version of distribution the command always failed to talk to the Active Directory server. I think the net ads commands achieved the same result. Set Permissions Set Permissions so the proxy user account can read /var/run/samba/winbindd_privileged. gpasswd -a proxy winbindd_priv Cron Computer Account Password Update Add a cron job to /etc/cron.d folder called squidpassword which contains: 05 4 * * * net ads changetrustpw -d 1 logger -t changetrustpw Basic Authentication Configuration In order to use basic authentication by way of LDAP we need to create an account with which to access Active Directory. In Active Directory create a user called "Squid Proxy" with the logon name squid@your.ad.domain.here. Ensure the following is true when creating the account. User must change password at next logon Unticked User cannot change password Ticked Password never expires Ticked Account is disabled Unticked Create a password file used by squid for ldap access and secure the file permissions (substitute the word "YOURCHOSENACCOUNTPASSWORD" below with your password you set when creating the account in Active Directory above). echo ' YOURCHOSENACCOUNTPASSWORD ' > /etc/squid3/ldappass.txt ~ 8 ~

chmod o-r /etc/squid3/ldappass.txt chgrp proxy /etc/squid3/ldappass.txt Install negotiate_wrapper Install negotiate_wrapper. Install the necessary build tools on Debian install : apt-get install build-essential linux-headers-$(uname -r) Then compile and install using: cd /usr/local/src/ wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper- 1.0.1/negotiate_wrapper-1.0.1.tar.gz" tar -xvzf negotiate_wrapper-1.0.1.tar.gz cd negotiate_wrapper-1.0.1/./configure make make install ~ 9 ~

SQUID Configuration All that remains is to configure squid to use the authentication mechanism, apply the appropriate ACL s to control access to the web and configure the ICAP integration (OPTIONAL) Authentication Config vi /etc/squid.conf auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp -- domain=your_short_ad_domain_name --kerberos /usr/lib/sq$ auth_param negotiate children 10 auth_param negotiate keep_alive ooff ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=your_short_ad_domain_name auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=your,dc=full,dc=ad,dc=domain,dc=components" -D squid@your_ad_domain_here -W /etc/squid3/ldappass.txt -f samaccountname=%s -h $ auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED ### enforce authentication http_access deny!auth http_access allow auth http_access deny all ~ 10 ~

ICAP Config icap_service service_req reqmod_precache bypass=0 routing=0 icap://icap.exa-networks.co.uk:1344/surfprotect/request/client,default adaptation_access service_req allow all adapted_http_access allow all icap_client_username_header x-authenticated-user icap_client_username_encode on icap_enable on icap_send_client_ip on icap_send_client_username on icap_service_failure_limit -1 icap_service_revival_delay 30 icap_persistent_connections off Now restart squid using: service squid3 restart ~ 11 ~

User Machines The Internet Options (Windows PC s) on the user machines will need to reflect the IP address of your squid server DNS name and the service port. Also note that Internet Explorer requires this additional option Enable integrated Windows Authentication Chrome Chrome uses the system selected proxy so no changes needed. ~ 12 ~

Firefox Browser Safari (Apple Devices) This browser uses the system defined Web Proxy settings for the current connection you are using on the Mac. Notice also that I have added my Active Directory credentials in so I won t be prompted later. When using ipad or iphone devices similar configuration will be needed to tell the device which proxy to use. ~ 13 ~

Checking the Squid Log You can take a look in the /var/squid3/access.log or similar name to check that the authenticated user is mentioned in the request lines. So for example: 1342694083.704 349 192.0.2.131 TCP_MISS/200 338 GET http://ec.atdmt.com/images/pixel.gif mark_dearlove DIRECT/213.199.149.244 image/gif And Finally When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to the nature of the challenge/response mechanism of NTLM authentication. In the event that no username appear in the squid access log, or password dialogue boxes appear, then check the squid.conf file to ensure that the ACL s are setup properly. Also ensure that winbind is functioning, as depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those modifications to take affect. If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by issuing the following: update-rc.d squid3 defaults update-rc.d smbd defaults References: I referred to several webpages to try to untangle how to achieve my aim, some helped some confused me more but I will mention them here as you may get something extra out of them for your scenario. http://wiki.squid-cache.org/configexamples/authenticate/windowsactivedirectory http://techmiso.com/1934/howto-install-squid-web-proxy-server-with-active-directory-authentication/ http://www.sghaida.com/squid3-ntlm-antivirus/ ~ 14 ~

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information