FreeBSD 9.1 + Squid 3.2.9 with Kerberos authentication in Active Directory Windows 2008

The squid web cache include a authenticator for kerberos, it is simple to use, but the documentation is not very clear about how to make it work. Below some steps used by me to make Squid 3.2 Stable authenticate against Active Directory (Windows 2008 Directory Service).

Authentication

In this article we’ll use Negotiate (using Kerberos).
To use Negotiate authentication method the web browser must be writed to understand it and configure correctly to do so, and the computer use need to be authenticated by the kerberos infra-structure and receive the appropriated key from the KDC (Key Distribution Center). I’m using Firefox and Internet Explorer for Windows

CONFIGURATION

This part is divided in two parts, one in FreeBSD (proxy-kerb) box other in Windows Domain Controlle (dc.itsol.biz and domain itsol.biz or ITSOL).

Windows Step:

Create a user account, ex. proxy.user, and using ktpass command tool create a keytab file.
ktpass -princ HTTP/squid.itsol.biz@itsol.biz -mapuser ITSOL\proxy.user -pass ******* -crypto all -out squid.keytab
After this copy squid.keytab file to FreeBSD box in folder /usr/local/etc/squid

FreeBSD Step:

Check /etc/resolv.conf for proper set of domain and nameserver. You must have somthing like this:

domain itsol.biz 
nameserver 192.168.0.10

Add an entry in the DNS server for you Proxy’s server hostname and testi it – it is important.

#nslookup squid.itsol.biz
Server: 192.168.0.10
Address: 192.168.0.10#53

Non-authoritative answer:
Name: squid32.procreditbank.bg
Address: 192.168.0.5
#nslookup 192.168.0.5
Server: 192.168.0.10
Address: 192.168.0.10#53

Non-authoritative answer:
5.0.168.192.in-addr.arpa name = squid.itsol.biz.

Install Kerberos from ports /usr/ports/security/krb5 and make configuration file /etc/krb5.conf with this settings:

[libdefaults]
 default_realm = ITSOL.BIZ
 dns_lookup_realm = no
 dns_lookup_kdc = no
 ticket_lifetime = 24h
 default_keytab_name = /usr/local/etc/squid/squid.keytab
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
 PROCREDITBANK.BG = {
  kdc = dc.itsol.biz
   admin_server = dc.itsol.biz
   default_domain = dc.itsol.biz
  }
[domain_realm]
        .itsol.biz = ITSOL.BIZ
        itsol.biz = ITSOL.BIZ

Test Kerberos
kinit -k HTTP/squid.itsol.biz

If no error or warning – everything is OK
klist

Credentials cache: FILE:/tmp/krb5cc_0
Principal: HTTP/squid.itsol.biz@ITSOL.BIZ
Issued Expires Principal
Feb 14 17:06:12 Feb 15 03:06:12 krbtgt/ITSOL.BIZ@ITSOL.BIZ

Add the following to the squid startup script (Make sure the keytab is readable by the squid process owner )

export KRB5_KTNAME=/usr/local/etc/squid/squid.keytab

Add this lines to squid.conf to activate authentication:

#Authentication helpers
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -i -s HTTP/squid.itsol.biz
auth_param negotiate children 50 startup=10 idle=5
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access deny !auth

Restart Squid. That is all!

11 Replies to “FreeBSD 9.1 + Squid 3.2.9 with Kerberos authentication in Active Directory Windows 2008”

  1. In most cases this means that you need to specify the user more fully, by prefacing the user name with the domain name, where DOMAIN name is the NetBIOS version.

  2. Little correction. It’s not
    nameserer 192.168.0.10
    but of course
    nameserver 192.168.0.10
    ;)
    Thank you for this great post !

  3. Useful article. I’m using OpenBSD but your post seems to apply. However, I’m having a problem with IE. Firefox works fine, but IE does not. It keeps prompting for credentials and eventually fails. I
    I’ve tested the kerberos, and it works. I did all you described here. Any idea what I’m still missing?

    • Try this:
      Open Internet Explorer and select select Tools, then select Internet Options. Then, select the Advanced tab. Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box.
      Click the OK button and then, restart the browser so that the settings take effect.

  4. Hi, I’ve some problems (squid does not work configuring kerberos this way). If I try the command
    kinit -k HTTP/demo2-proxy.demo2.demo.local
    I get this output:
    kinit: krb5_get_init_creds: Additional pre-authentication required
    Can you help me troubleshooting this problem?

    Thanks in advance.

    • Two things you can check:
      – time on both machines should be synchronized
      – on AD Users and Computers, select user Properties, Account tab and check Account options. There is a check-box “Do not require Kerberos preauthentication” – unchecke this box

      • hi Bisser, now it seems better :)
        I still get an error in squid, I think the problem is the
        export KRB5_KTNAME=/usr/local/etc/squid/squid.keytab
        in /usr/local/etc/rc.d/squid
        in which point exactly do I have to insert this line?

        Thank you in advance!

  5. On top of the file, after the commented rows.
    Check permissions – squid should have at least read access to squid.keytab

  6. Hi Bisser, now kerberos seems to work (all tokens and klist are fine), but squid does not work and fails all authentication. Here is the cache.log:

    2014/07/08 18:44:42 kid1| ERROR: Negotiate Authentication validating user. Error returned ‘BH gss_accept_sec_context() failed: Miscellaneous failure (see text). unknown mech-code 0 for mech unknown’
    2014/07/08 18:44:42| negotiate_kerberos_auth: INFO: User not authenticated

    Thank you very much for your help.

Leave a Reply

Your email address will not be published. Required fields are marked *

*