
Hi everyone,
I hope all of you had an enjoyable holiday. I spent my week off from work spending time with the family and catching up on some reading. One area I decided to spend some time reading up on is Microsoft’s Cloud App Security. For those unfamiliar with the solution, it’s Microsoft’s entry into the cloud access security broker (CASB) (or Cloud Security Gateway (CSG) if you’re a Forrester reader) market. If you haven’t heard of “CASB” or “CSG”, don’t worry too much. While the terminology is new, many of the collection of technologies encompassing a typical CASB or CSG are not new, simply used together in new and creative ways. For a quick intro, take a read through this article and follow up with some Forrester and Gartner research for a deeper dive.
Since I haven’t had much experience with a product specifically marketing itself as a CASB, I thought it would be a great opportunity to play around with Microsoft’s solution. A good first step for any organization to grasp the value of a CASB is to explore what’s happening within the organization outside the view of IT, or as the marketers love to call it, shadow IT. The ease of consuming cloud technologies such as software as a service (SaaS) applications has been both a blessing and a curse. The new technology has been wonderful in cutting IT costs, bringing the technology closer to the business, providing for shorter time to market for new features, and providing simpler integration paths for different applications and services. On the negative side, the ease of use of these solutions means an average employee is using far more of them than is officially sanctioned by IT. This can lead to issues like loss of critical data, non-compliance with policy, or multiple business groups within an organization subscribing to the same service resulting in redundant licensing costs.
Wouldn’t it be great to get visibility into that shadow IT? Since a majority of cloud solutions work over standard HTTP(S) the services are readily accessible to the user without the user having to request additional ports be opened on the firewall. This means it’s much more challenging to track who is using what and what they’re doing with those services. Many organizations attempt to control these types of solutions with a traditional forward web proxy. However, too much focus is put on blocking the “bad” sites instead of analyzing the overall patterns of usage of services. Microsoft’s Azure AD Cloud Discovery is a feature of Azure Active Directory that can be used in conjunction with Cloud App Security’s catalog of app to provide visibility into what’s being accessed as well as providing information as to the risks the services being accessed present to the organization.
To simulate a typical medium to large organization and get some good testing done with Cloud App Discovery, I’m going to add a forward web proxy to my home lab. As I’ve mentioned in previous blog entries I have a small form factor computer running pfsense which I use as my lab networking security appliance. Out of the box, it supports a base install of Squid which can be added and configured to act as a forward web proxy with minimal effort. It gets a bit more challenging when you want to add authentication to the proxy because the built-in options for the pfsense implementation are limited to local, LDAP, and RADIUS authentication. I want authentication so I can identify users connecting to the proxy and associate the web connections with specific users but I want to use Kerberos so I get that seamless single sign on experience.
Like many open source products, the documentation on how to setup Squid running on pfsense and using Kerberos authentication is pretty terrible. Searching the all-powerful Google presents lots of forum posts with people asking how to do it, pieces of answers that don’t make much sense, and some Wikis on how to configure Squid to use Kerberos on a standard server. Given the lack of good documentation, I thought it would be fun to work my way through it and compile a walkthrough. I’m issuing the standard disclaimer that this is intended for lab purposes only. If you’re trying to deploy pfsense and Squid in a production environment, do more reading and spend time doing it safely and securely.
I won’t be covering the basic setup of pfsense as there are plenty of guides out there and the process is simple for anyone with any experience in the network appliance realm. For this demonstration I’ll be running a box with pfsense 2.4.2 installed.
On to the walkthrough!
The first step in the process is to add the Squid package through the pfsense package manager UI.
On the Package Manager screen, select the Available Packages section and install the Squid package. After the installation is complete, you’ll see Squid shown in the Installed Packages section.
Notice the package installed is a branch of the 3.5 release while the latest release available directly via Squid is 4.0. It’s always fun to have the latest and greatest, but pfsense is an all-in-one solution so it comes with some sacrifices. Let’s get some of the basic configuration settings done with. Go to the Services menu, select the Squid Proxy Server menu item, and go the General section. First up choose the interface you want Squid to be available for and specify a port for it to listen on.
Now check off the Allow Users on Interface unless you have a reason to limit it to certain subnets attached to the interface. Additionally I’d recommend checking the Resolve DNS IPv4 First option. I banged my head against the wall with a ton of issues with Squid when I turned on authentication and this option wasn’t set. You can thank me for saving you hours of Google and trying other options.
Setup basic logging with the settings below.
Basic settings are complete and it’s a good time to test the proxy from a client machine to verify its base functionality. You can do this by directing one of your client machines to use the proxy and attempting to access a website.
After you have verified functionality you’ll need to add support for SSH to the pfsense box since we’ll need to make some changes via the command shell. For that you’ll want to navigate the System menu, select the Advanced menu item, and go to the Admin Access section. Scroll down from there to the Secure Shell section and click the checkbox for Enable Secure Shell and set a the SSH port to the port of your choice. I chose 50,000.
The Secure Shell Server is active, but the firewall blocks access to it across all interfaces by default. You now need to create the appropriate firewall rule to allow access from devices behind the interface you wish to use to SSH to the box. For me this is the interface that my lab devices connect to. For this you’ll select Firewall from the top menu, select the Rules menu item, and select the appropriate interface from the menu items. Once there, click the Add button to create a firewall rule allowing devices within the subnet to hit the router interface over the port you configured earlier as seen below. The SSH listener will now be running and will be accessible from the designated interface.
Now you must configure DNS such that the pfsense box can resolve the Active Directory DNS namespace to perform Kerberos related activities. You can go the easy route and make the Active Directory domain controller the primary DNS server for pfsense via the GUI. However, I use pfsense as the primary DNS resolver for the lab environment and forward queries to Google’s DNS servers at 8.8.8.8.
In order to continue using with my preferred configuration, I needed to take a few additional steps. First I needed to add a Domain Override to the DNS Resolver service on pfsense to ensure it doesn’t pass the query along to the external DNS server. I did this by selecting Services from the main menu, selecting the DNS Resolver menu item, and going to the General Settings section. I then scrolled down to the Domain Overrides section and added the appropriate override for my Active Directory DNS namespace as seen below. Take note that you can’t go modifying the resolv.conf as you would in a normal Linux distro since pfsense will scrub any changes you make to the file each time it restarts its services. Get used to this behavior, we’re going to see it a number of times through this blog entry and we’ll have to learn to work around that limitation (feature?).
Next up you’ll want to verify name resolution is working as intended and it can be tested by running a query from the pfsense box. Go to the Diagnostics on the main menu, select the DNS Lookup item, and type in the hostname representing the Active Directory DNS namespace. It should resolve to the entries representing domain controllers in your Active Directory domain. Successful testing makes the DNS configuration complete.
On to the guts of the configuration. Pfsense comes with the krb5 package installed so all you need to do is configure it. For that you are going to need to access the command shell. Open up your favorite SSH client and connect to the pfsense box as an administrative user. Upon successful login you’ll see the menu below.
You want to hit the command shell so choose option 8 and you will be dropped into the shell.
The first step is to configure the krb5 package to integrate with the Active Directory domain. For that you’ll need to create a krb5.conf file. Create a new a krb5.conf file in the /etc/ directory and populate it with the appropriate information. I’ve included the content of my krb5.conf file as an example.
[libdefaults]
default_realm = JOURNEYOFTHEGEEK.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96
[realms]
JOURNEYOFTHEGEEK.LOCAL = {
kdc = jog-dc.journeyofthegeek.local
}
[domain_realm]
.journeyofthegeek.local = JOURNEYOFTHEGEEK.LOCAL
journeyofthegeek.local = JOURNEYOFTHEGEEK.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
Default = FILE:/var/log/krb5lib.log
Check out the MIT documentation on the options available to you in the krb5.conf. I made the choice to limit the encryption algorithms to AES128 for simplicity purposes, feel free to use something else if you wish. Once the settings are populated the file can be saved.
It’s time to test the Kerberos configuration. You do that by using running kinit and authenticating as a valid user in the Active Directory domain. If the configuration is correct klist will display the a valid Kerberos ticket granting ticket (TGT) for the user.
The system is now configured to interact with the Active Directory domain using Kerberos. You now need to create a security principal in Active Directory to represent the Squid service. Create a new user in Active Directory and name it whatever you wish, I used svc_squid for this lab. Since I chose to use AES128, I had to select the account control option on the user account in Active Directory Users and Computers (ADUC) that the service supported AES128. You can ignore that step if you chose not to force an encryption level. Now a service principal name (SPN) for the service is needed to identify the service when a user attempts to authenticate to it. For that you’ll need to open an elevated command prompt and use the setspn command.
Wonderful you have a security principal created and it includes the appropriate identifier. You now need to create a keytab that the service can use to authenticate to Active Directory. In comes ktpass. From the same elevated command prompt run the command as seen below.
Pay attention to case sensitivity because it matters when we’re talking MIT Kerberos, which is Kerberos implementation pfsense is using. The link I included above will explain the options. I set the crypto option to AES128 to ensure the keytab aligns with the other options I’ve configured around encryption.
Next up you need to transfer the keytab to the pfsense box. I used WinSCP to transfer the keytab to the pfsense box to the /usr/local/etc/squid/ directory. The keytab is on the pfsense box but you need to tell Squid where the keytab is. In a typical Squid implementation you’d define variable in the Squid startup script which would be consumed by the authentication helper. However, this is another case where pfsense will overwrite any changes you make to the startup script.
In addition to being unable to modify the startup script to set, pfsense also overwrites any changes you make directly to the squid.conf file. To get around this you’ll need to add the configuration options to the config file through the pfsense GUI. From within the GUI go to the Services section of the main menu, select the Squid Proxy Server menu item, go to the General section, scroll down and hit the Advanced Options button and scroll to the Advanced Features section. In the Custom Options (Before Auth) field, you’ll want to add the lines below.
The first four lines I’ve added here are called directives in Squid. The first directive instructs Squid to use the negotiate_kerberos_auth authentication helper. The options I’ve added to the helper set a few different configuration options for the helper. The -k option allows me to direct Squid to the keytab file I added to the server which I couldn’t do with a variable in the startup script. The -d option writes debug information for the helper to Squid cache.log and the -t option shuts off the replay cache for MIT Kerberos. The second directive sets the child authentication processes to 1,000. You’ll want to do some research on this directive if you’re moving this into a production environment. I simply choose 1000 so I wouldn’t run any risk of getting my authentication requests queued for the purposes of this lab. The third directive is set to on by default and should only be set to off if you run into issues with PUT/POST requests.
The fourth directive starts enforcing access controls within Squid. Access controls within Squid are a bit weird. The Squid wiki does a decent job of explaining how they work. The short of what I’ve done in the fourth directive is create an access list called auth which will contain all users who successfully authenticate against Squid. The next line denies users access to the http_access list if the user doesn’t below to the auth access line (blocking non-authenticated users). The final line allows users who are in the auth list into the http_access list (allows authenticated users).
With that last amount of configuration, you’ve gotten pfsense and Squid configured for Kerberos authentication. I’ll quickly demonstrate the what a successful implementation looks like. For that I’m going to bounce over to a Windows 10 domain-joined machine with Chrome installed and configured to use the proxy server. Navigating to Amazon displays the webpage with no authentication prompts and running a klist from a command prompt shows I have a Kerberos ticket for the proxy.
Going back into the pfsense GUI, going to the Services menu, selecting the Squid Proxy Server menu item and navigating to the Real Time section shows the access log displaying Rick Sanchez accessing Amazon and successful consumption of the Kerberos ticket in the Cache Log section.
In a future post I’ll dig a bit deeper into Azure AD Cloud Discovery and setup automatic forwarding of logs using the Microsoft collector.
Have a happy New Year!
Thank you for the post. Just wondering I am still getting authenticated when browsing, nevertheless the input credentials never work. Can you suggest where I am going wrong.
Thank you.
LikeLike
Hi Samer,
Can you clarify your statement? After you configure your browser to point to the proxy and you attempt to navigate to a website, what happens? Do you receive an authentication prompt?
LikeLike
Hi again,
Yes i do get prompted, nevertheless it never goes through.
Below are the errors i am recieving in the real time monitoring
Date-Time
Message
03.02.2018 09:39:25
WARNING: negotiateauthenticator #Hlpr1421226 exited
03.02.2018 09:39:25
negotiate_kerberos_auth: FATAL: Local hostname could not be determined. Please specify the service principal
03.02.2018 09:39:25
negotiate_kerberos_auth: ERROR: resolving hostname with getaddrinfo: hostname nor servname provided, or not known failed
LikeLike
The errors indicate that Kerberos can’t identify the service principal you’re trying to authenticate to. I’d recommend the following steps:
1) Ensure the pfsense box can communicate with the domain controller for DNS resolution (TCP/UDP) 53 and Kerberos (TCP/UDP) 88, 464.
2) Ensure you’ve defined a DNS record for your pfsense box and your client can resolve it.
3) Ensure you’ve set the service principal name to the pfsense hostname and that you are using that same hostname whe man you configure the proxy.
Hope it helps!
LikeLike
Thanks for the recommendation. Another question can i use the IP address instead using domain name for such configuration !
LikeLike
I’m pretty sure that won’t work if you want to achieve the single sign-on experience. Kerberos is highly dependent on DNS working so you’ll need it working on both the client and pfsense. I’ve never created a service principal name that was an IP address, so I can’t say if it would work or not. Since you’ll need DNS functioning anyway, go with a hostname.
LikeLike
Thanks for the information. Now i am facing the below errors, what could be the problem with my configuraiton.
Date-Time Message
31.12.1969 22:00:00 negotiate_kerberos_auth: WARNING: received type 1 NTLM token
31.12.1969 22:00:00 negotiate_kerberos_auth: DEBUG: Decode ” (decoded length: 40).
31.12.1969 22:00:00 negotiate_kerberos_auth: DEBUG: Got ” from squid (length: 59).
Thanks
LikeLiked by 1 person
Hi. The error indicates you are falling back to NTLM, which is the challenge response partner of Kerberos in the Negotiate authentication package. At this stage you need to break out a packet capture tool such as WireShark and do some analysis on the conversation. If you are planning on using Kerberos outside of a lab, doing some traffic analysis to chase down error a like this is great practice for you. Best of luck!
LikeLike
Hi Again, i have been busy for a while and didn’t have time to continue troubleshooting PFsense auth. against AD kerberos.. i have notices something, when running kinit after configuring the krb5 file no ticket is being output. no error but no ticket either.. is that normal ?
LikeLike
Please disregard my latest post as it i didn’t run klist after kinit command.
Regards,
LikeLike
Hello, my error:
negotiate_kerberos_auth: ERROR: gss_accept_sec_context () failed: Unspecified GSS failure. Minor code may provide more information. Request ticket server HTTP/proxy.example.local@EXAMPLE.LOCAL not found in keytab (ticket kvno 3)
what does it mean, how to repair?
LikeLike
Hi there. It looks like the SPN you specified is not included in the key tab you are using. You need to go back and create a new key tab with the correct SPN.
LikeLike
My spn was created successfull, but user logon name has changed to “HTTP/proxy.example.local” after ktpass. Its ok?
LikeLike
Yes, that is expected. Your best bet if you are still having issues is to do a packet capture with tcpdump. It will provide you with more detailed information as to the failure than that KRB5 library. It’s my go to method of resolving Kerberos problems.
LikeLike
Installed wireshark, captured the moment of authorization. Which parameter should I look at?
LikeLike
If there is an error during authentication you will see some packets denoting that. Dig into the packet and you should come across a more detailed error. Then it is a matter of searching for information on that error using the power of Google. From personal experience, error with key tabs are typically mismatching SPNs, KVNOs, or ciphers.
LikeLike
Wireshark tells me that my computer sends rst,ack after the request of the proxy to authorize. I’m trying go to google.com via IE, and the login window appears.
LikeLike
You’ll want to make sure your browser is configured to use integrated Windows authentication. If you’re using IE, the site needs to be added to the Intranet Security Zone.
LikeLike
Used your recipe and everything worked perfectly! I was having issues similar to Samer with the NTLM v1 error. Turned out that Kerberos requires the proxy be set by name not IP address. Updated the browser to use the name and everything worked great! Thanks!
LikeLiked by 1 person
Glad it worked for you! Great job identifying the problem you encountered!
Kerberos is very dependent on DNS working correctly. When it fails, the client tries to find an SPN for the IP which doesn’t exist, causing the transaction to error out
LikeLike
I’m using the fqdn name for proxy. Perhaps, not fully created keytab. The size is 382 bytes. What is your size?
LikeLike
Hello all,
Been away for a while, glad to hear that someone was able to solve the mystery :))
Regarding the domain service account / username: does it have to be a domain admin user !!
Thanks and today i am looking forward to solve this issue !!
LikeLike
Hi Samer. It does not have to be a domain admin, just a standard user in the directory.
LikeLike
I fixed my keytab, next error i got:
kvno 3 enctype aes256-cts found in keytab but cannot decrypt ticket
LikeLike
I deleted enctypes in krb5.conf, and its working ! ^_^
LikeLike
Nice job! You also get to come away with much more knowledge of the protocol than you had going in. Well done
LikeLike
Guys, i am receiving such error:
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No key table entry found matching
LikeLike
That error indicates an issue where the principal you are requesting the ticket for doesn’t match. I’d suggest verifying DNS resolution works for the hostname of your proxy works, your SPN is set correctly, and re-create your keytab.
LikeLike
Remember case sensitivity matters.
LikeLike
Got Kerberos, but there are a lot of TCP_DENIED / 407 errors in the logs, for each domain request by mistake. Does the browser try to log in using a different protocol? If so, how do I fix it?
LikeLike
From my understanding you should always see a TCP_DENIED/407 for every connection. It is at that point the browser is challenged and will provide the auth credentials and allow the connection. So, this is normal.
LikeLiked by 1 person
That is correct.
LikeLike
Ok, this is normal. But i got random error in browser, when i try to connect the web site or follow the link.
61 connection refused (when proxy installed on FreeBSD)
111 connection refused (when proxy installed on Linux)
LikeLike
I don’t recall coming across those errors but they look specific to Squid. I’d recommend you do some digging.
LikeLike
I do remember having a ton of issues with HTTPS sites timing out. I had to enable the option in pfSense for Squid which forced IPv4 DNS resolution first. Not related I’m sure, but figured it would be worth mentioning.
LikeLike
This option checked. May be try to build squid v 4?)
LikeLike
I never tried a new build, but I’ll be curious as to how it goes for you. I was too frightened of blowing up my pfSense box. 🙂
LikeLike
Cpu load is very high with Kerberos. Where i must paste “KRB5RCACHETYPE=none export KRB5RCACHETYPE” in /usr/local/pkg/squid.inc ?
LikeLike
HI Guys, let’s suppose i was able to successfully authenticate, what if i want to set the internet proxy to auto detect, rather than setting the proxy manually using DHCP not DNS, since DNS propagate to another sites, while DHCP is exclusive to a single site !!
Can you help me with such configuration
LikeLike
Hi Samer,
Could your clarify your requirements? It sounds like you are setting the proxy manually or through GPO right now but want to change it to auto detect. If you are using Windows boxes as clients, you can check out WPAD (https://docs.microsoft.com/en-us/dotnet/framework/network-programming/automatic-proxy-detection)
LikeLike
Hello Matt,
Yes it is going to be WPAD using DHCP rather than DNS, since DNS replicated on different Subnets /DC Sites… I was wondering how make it work, since the above configuration only works when putting the dns name not the IP.
P.S: setting proxy in Client machine using IP keeps on asking for credentials.
LikeLike
Guys please check my below (krb5.conf) file: * i have replace the domain and the dc name *
[libdefaults]
default_realm = DOMAINNAME.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DOMAINNAME.LOCAL = {
kdc = dc.domainname.local
}
[domain_realm]
.domainname.local = DOMAINNAME.LOCAL
domainname.local = DOMAINNAME.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
Default = FILE:/var/log/krb5lib.log
PLEASE SHARE YOUR OPINION, INCASE ANYTHING NEEDS TO BE FIXED.
LikeLike
okk !! please ignore the above post.. things are working fine now!! Just need to get the DHCP WPaD & autodetect thing.
LikeLike
Great to hear Samer!
LikeLike
Windows Server DHCP Auto Discover + hostname / Dns name wpad, not working !!
Any suggestion!!
LikeLike
DHCP WPAD using IP address, keeps prompting for credentials
LikeLike
I don’t believe you’ll be able to get Kerberos working if the user’s machine is making web requests to the proxy using its IP. The user’s machine needs to make requests for a hostname that you been configured as an SPN for the service account and have set in the keytab.
LikeLike
please advise how to work it out.. I want to use DHCP WPAD and not DNS WPAD.
Tried to set in DCHP (for example : http://hostanme/wpad.dat) not working only works when i set it (http://Ipaddress/wpad.dat)
LikeLike
I’ve never set a proxy via WPAD and have typically used GPOs, but I understand that is very Microsoft-centric. If it is failing using the hostname, the you have either a DNS issue (where the machines are unable to resolve the hostname you are entering) or an SPN/keytab issue where the service principal name you are using hasn’t been defined.
I’d suggest doing a pack capture on an affected machine to further troubleshoot the issue.
LikeLike
Guys, i am hesitant about Windows Server Active Directory authentication consistency. Seems the users are loosing internet frequently, or sometimes non domain users not getting authenticated and the username/password window keeps popping up.
LikeLike
Hi Samer. Non-domain joined users would be falling back to NTLM and should be expected to receive a username and password prompt. I’m not sure how Squid handles NTLM Authentication so you may want to do more research there.
I’ve never used squid running on pfsense with AD authN in an enterprise environment so I can’t speak to how well it scales. Perhaps another commentator can chime in on their experience.
LikeLike
Good day Matt.
This is the first article I find on the internet that gives a simple and efficient way to configure Kerberos with Pfsense, thank you.
I followed your instructions and it seems kerberos is ok : if I use klist I can see that I get a ticket.
I configured Spn and the krb file, no issue so far.
I added the instructions in the custom options, applied the new settings and tried to connect to the internet.
It’s still working (IE or Firefox) but I do not see any authentication mechanism in the log and there is no more kerberos ticket than the one I got when I used klist. It seems that I must configure something to tell squid ‘now use kerberos’.
Squid authentication is set to ‘none’ but the only other options are Ldap, captive portal, local and Radius. Do I need to configure one of them or something else to use kerberos ?
Regards.
LikeLike
Hi Olivier. I blew up my AD and Squid implementation a while back, but I don’t recall there being any additional configuration to turn on the option beyond custom options box in Pfsense.
Did you check the Squid logs on Pfsense? You can also try doing a Fiddler capture to take a deeper look at the session to figure out what is going on.
LikeLike
Dear Matt,
What a great tutorial! Thank you, it really worked like a charm!!
I have a question if I may 🙂
Were you able to make squidGuard work with ACL Groups querying Active directory groups?
Best regards,
Tarek
LikeLike
I never had a chance to test that out Tarek. If you end up going that route, I’d love to hear about your experience!
LikeLike
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No key table entry found matching HTTP/192.168.1.42@
LikeLike
First, very nice article. I was hoping you might know why I get the above error. Its weird that it has IP when i have not specified IP anywhere other than the obvious DNS record. Its also weird that its a new line after the @ symbol. Client ticket is fine, and browser proxy is FQDN DNS. At a loss. I did try a keytab with IP for kicks.
LikeLike
Hi Jarrod. What do you have the proxy server defined as in your browser? That error to me would seem to indicate that the proxy server is defined as an IP in the web browser.
LikeLike
thanks for responding, the fully qualified name is specified in the browser. To be fair I did initially have IP until I realized it. I went back and cleared credential manager too just to be safe but had the same issue. What’s interesting is I swapped the keytab with one built using IP and after some time I noticed the log showing the name in the request, the problem then is that the keytab no longer had the name.
LikeLike
Very odd. What SPN is set on the service account in AD?
LikeLike
HTTP/proxy.domain.local and I tried adding HTTP/10.0.0.25
LikeLike
You shouldn’t have to add the IP. What was the command you used to create the keytab?
LikeLike
ktpass -out C:\squidproxy.keytab -princ HTTP/proxy.domain.local@domain.local -mapUser svc_squid@domain.local -crypto AES128-SHA1 -pass Password1 -ptype KRB5_NT_PRINCIPAL
LikeLike
Try doing a Wireshark packet capture on the client machine when you browse the web. That should give you a specific error code we can troubleshoot further
LikeLike
thank you, I will try that out tomorrow as its getting late. In the meantime I did add a second spn for the keytab using the IP so the keytab has both ip and dns. I now get “negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Request ticket server HTTP/proxy.domain.local@DOMAIN.LOCAL found in keytab but does not match server principal HTTP/192.168.1.42@”
LikeLike
That error sounds to me like the pfsense box itself thinks it’s principal name is that second principal with the IP. Has the hostname been set on the pfsense box thus that it knows its own name?
LikeLike
I had thought the same thing but the hostname is set correctly as well as the domain suffix. I checked through the web interface and don’t see any other potential reference points.
LikeLike
Hello!. I tell you that I managed to make this configuration work with squidguard. The secret is in negotiate_kerberos_auth, with add -r that basically removes the Kerberos Realm component from usernames. “Custom options (before authentication)” would look something like this: auth_param negotiate program / usr / local / libexec / squid / negotiate_kerberos_auth -r -d -k /usr/local/etc/squid/squidproxy.keytab
auth_param negotiate children 1000
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny! auth
http_access allow auth
Otherwise it does not work because pfsense does not allow filtering by user names that contain @.
I hope it is useful to someone.
LikeLike
Thanks Jorge!
LikeLike
Thank you very much! With this instruction, I was able to configure kerberos. Be careful when typing, I made a lot of mistakes, in a hurry, and then I looked for them.
LikeLike
This walkthrough really helped me! Thanks Matt, greetings from Brazil.
LikeLike
Glad it helped Bruno!
LikeLike
Hi,
I tried with DC Windows 2019, pfsense 2.4.4p3, squid + squidguard latest version available in pfsense, it works correctly !!!
LikeLike
Great to hear!
LikeLike
Wanted to touch base and let you know that its now working after I built a new pfsense box. It was probably something stupid I was doing, but anyways I wanted to say THANK YOU! This guide was amazing and one of a kind!
LikeLiked by 1 person
Awesome! Glad you got it working.
LikeLike
Thank you for your sharing. This was what I was looking for.
I tried to do however I am having the error -> /pkg_edit.php: The command ‘/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf’ returned exit code ‘1’, the output was ‘2020/06/14 03:42:41| /usr/local/etc/squid/squid.conf:91 unrecognized: ‘/usr/local/etc/squid/squidproxy.keytab”
Can you help me please?
Thanks for everything
LikeLike
Hi Renato. I’m no Squid expert unfortunately. However from the looks of the error I would double check your Squid config for types, validate that squidproxy.keytab is the correct filename and it’s in the correct directory, and lastly to try recreating the keytab if all else fails.
LikeLike
hi there currently trying to get it working but im getting this error, so i did the step of setspn but the ktpass getting the error
C:\Windows\system32>ktpass -out C:\squidproxy.keytab -princ HTTP/apolo.casa.local@CASA.LOCAL -mapUser squid@CASA.LOCAL -crypto AES128-SHA1 -pass -ptype KRBS_NT_PRINCIPAL
unknown option ‘KRBS_NT_PRINCIPAL’.
Command line options:
Thank you
LikeLike
Hi there,
You have an S instead of a 5 in “KRBS_NT_PRINCIPAL”. Change it from an S to a 5.
LikeLike
This is my custom options not sure if i did it correctly as didnt see the picture clearly, so my question is if the user is not in the domain cannot user the proxy?
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidkeytab.keytab
auth_param negotiate children 1000
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny auth
http_access allow auth
LikeLike
It’s been a long time since I worked on this, but the user you’re trying to authenticate to the proxy must exist in the Active Drectory domain. I’d recommend revising these options against the official squid documentation to ensure nothing has changed between versions.
LikeLike
Thanks for the reply so changed to the 5 and got it to work but after all the steps and i try to navigate i get the popup, which the computer is in the domain.
LikeLike
thank you again for the reply, as the user is on the AD which is the administrator i checked the documentation i did not see any change, when it checks for the user does it check for the whole OU or in where the user svc_squid is located?
Thank you
LikeLike
hi again could not get it working, if its possible i could pay if you can help me to get it to work?
LikeLike
Hi there. I wish I could but unfortunately my current job keeps me pretty busy. It’s not an easy integration, so don’t feel bad that you are struggling. I did as well when I first set it up.
Your best bet is to reference the squid documentation and pay close attention to the specific Kerberos errors you’re receiving.
There are previous comments in this thread from other commentators that include some great troubleshooting tips
LikeLike
Thanks for the reply, if the windows that is in the AD which is the administrator i run klist but im getting this error
The ID. current login is 0: 0xb410d
Cached vouchers: (0)
which i guess it does not match to your photo
I think thats the issue if not?
LikeLike
also checking the logs i found this
WARNING: negotiateauthenticator #Hlpr1558 exited
LikeLike
hi there finally i got it to authenticate on the squid proxy but i still get popup any ideas??
LikeLike
Nice progress! Make sure your browser is configured for integrated windows authentication. Configuration of this setting differs per browser. I’d recommend testing in a Microsoft-native browser on a domain-joined machine to establish steady state.
If you are still getting the pop-up at that point, you’ll need to break out a protocol analyzer such as WireShark and do some captures to determine the specific Kerberos error.
Hope that helps!
LikeLike
thanks for the reply, so i put wireshark on the server and the only thing i found was this
something with squid cache?
didnt find nothing with kerberos
ERROR: Cache Access Denied
<!–
/*
* Copyright (C) 1996-2020 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
LikeLike
Very odd, never seen that one before. Maybe a permissions issue the Pfsense package for squid?
LikeLike
so what i realized something the line that i remove that let me navigate http_access deny auth
my question is where did you save the acl auth proxy_auth the location of the file which i did find the way to configure it which i think that might be the issue
LikeLike
Also another thing realized not sure why i have sometime connection lost on squid i check the logs you will see some site showing denied and other connect not sure why
LikeLike
Farzad, the denied before allowing it always happens. quid denies first while the kerb ticket is established, you can ignore this type of event when coupled with success for the user.
LikeLike
Thanks mattfeltonma, these were perfect instructions although I had some teething issues at the start, a lot of these comments and your answers helped with that.
This is for anyone looking to get this working and use AD groups but are having issues with both.
This config worked for me, I had issues with initial KERBEROS auth and then struggled to find info using KERBEROS on Pfsense to authenticate users using AD group membership. Limiting searches to Squid on Pfsense provides little to no useful results.
Environment: Windows Server 2012 R2 domain controller with Pfsense 2.5.1 firewall/proxy.
Follow the steps provided in mattfeltoma’s article here to get kerberos working to begin with, my problem initially was that the klist output always showed a valid ticket being issued but after setting up Squid advanced options the browser repeatedly prompted for creds.
Wireshark on the server showed Pfsense requesting 0x12 encryption type as I’d set Squid to use AES256, the server was issuing 0x14 response assigning RC4 encryption so the exchange never worked for authorising the browser session in Squid.
I had to change the keytab step to use “-enctype ALL” to get Squid to accept the RC4 authentication ticket, after that I had keytab errors in the Squid log so had to remove the default and permitted enctypes lines in the KRB5.CONF file.
(this is something I need to work through in our environment but was being pressed to get this working, in a production system with no lab to test)
After this change the browser never prompted again and the user was permitted Internet access with an authenticated kerberos ticket.
If you just need to authenticate users silently with kerberos this is enough.
Next hurdle I had was to get it working for some users in the Internet_Access group but deny any others who are restricted.
You need to make sure kerberos auth is working first with Matt’s article, then add some info to the advanced section of the Squid config via the gui, using the “external_acl_type” command.
Ignore posts suggesting setting up Squid Guard to use an ACL with an LDAP search string and don’t bang your head against a wall wondering why your authentication server in Pfsense settings which uses ldap also isn’t working for this, just specify the info within the Squid config instead.
Here is my working section of the advanced options from the Pfsense Squid gui;
——————–
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -r -d -k /usr/local/etc/squid/squidproxy.keytab
auth_param negotiate children 1000
auth_param negotiate keep_alive on
external_acl_type kerberos_group ttl=60 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -g Internet_Access -l ldap://SERVERNAME.DOMAIN.LOCAL -u squid_svc -p BLANKED-OUT -D DOMAIN.LOCAL
acl GroupProxy external kerberos_group
http_access allow GroupProxy
http_access deny all
——————–
If you leave the original “acl auth proxy_auth REQUIRED” or “http_access deny !auth” then this doesn’t work since Pfsense needs the kerberos info to set up a ticket for the user but not the auth acl for this, only needs to know if they are a member of a group resolved with the ldap search and apply access for the group acl.
The ttl I set to 60 seconds so we could get quick results but in production use we’ll increase this as group membership doesn’t change that often.
Last two lines allow the AD group access and deny all others.
Credit also to TEKFIK for his Squid article here: https://www.tekfik.com/kb/linux/squid/squid-configuration-to-allow-internet-access-to-specific-ad-group
Although a little sparse it held the key to making AD groups work after getting kerberos running.
Remember, Squid on Pfsense is still Squid and the default options available cover a lot of platforms so don’t limit your searches to Pfsense articles only.
LikeLike
This is awesome detail! Thanks so much for contributing!
LikeLike
Oops, quick correction;
“I had to change the keytab step to use “-enctype ALL” to get Squid to accept the RC4 authentication ticket”
That should have stated “-crypto ALL” option in ktpass.
LikeLike