| Line 15: | Line 15: | ||
On the Windows DNS server create a HOST(A) record that points to the squid server. | On the Windows DNS server create a HOST(A) record that points to the squid server. | ||
As mentioned above the AD Username must match the squid servers FQDN.<br> | As mentioned above the AD Username must match the squid servers FQDN.<br> | ||
| + | |||
| + | |||
| + | |||
| + | == Creating the KeyTabs == | ||
| + | Now we need to map the AD user account to a Kerberos service principal. This is done from the command line using '' ktpass.exe ''.<br> | ||
| + | KTPASS Usage: | ||
| + | ktpass -princ SERVICE/FQDN@NT-DNS-REALM-NAME -mapuser <USERNAME> -pass <PASSWORD> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab | ||
| + | Example: | ||
| + | ktpass -princ HTTP/[email protected] -mapuser web-proxy.domain.lan -pass Str0ngP@ssw0rd -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab | ||
| + | |||
| + | '''Note:''' The '-crypto' and '-ptype' vary depending on what version of Windows Server you're running.<br> | ||
| + | Windows 2008 - 2008 R2: | ||
| + | -crypto RC4-HMAC-NT | ||
| + | -ptype KRB5_NT_PRINCIPAL | ||
| + | <br> | ||
| + | Windows 2003 SP1 - 2003 R2: | ||
| + | -crypto RC4-HMAC-NT | ||
| + | -ptype KRB5_NT_SRV_HST | ||
| + | <br> | ||
| + | Windows 2003: | ||
| + | -crypto DES-CBC-MD5 | ||
| + | -ptype KRB5_NT_PRINCIPAL | ||
| + | <br> | ||
| + | Windows 2000: | ||
| + | -crypto DES-CBC-MD5 | ||
| + | |||
| + | <br> | ||
| + | Once the .keytab is created it needs to be transferred to the squid server. [http://winscp.net WinSCP] works well for this, but a thumb drive or CD would also work. | ||
| + | |||
| + | |||
Revision as of 16:57, 7 March 2011
Contents
Kerberos
Squid can authenticate against a Kerberos KDC using the SQUID_KERB_AUTH helper.
This is particularly useful for Single Sign On authentication against Windows Active Directory.
Windows
Active Directory Account
Create a user account (which will act like a machine/service account) from Active Directory Users and Computers. This account can be created in any OU. The username for this account must match the hostname of the squid proxy server (which we will be setting in the next step). Windows has a few reserved hostnames, "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain, so its best to avoid it. The "User Login name" should reflect the FQDN of the squid server. In this example we'll use "web-proxy.domain.lan". The pre-Windows 2000 User logon name is limited to 20 characters, so drop the domain.lan parts and use just "web-proxy" for that username.
DNS & Hostname
On the Windows DNS server create a HOST(A) record that points to the squid server.
As mentioned above the AD Username must match the squid servers FQDN.
Creating the KeyTabs
Now we need to map the AD user account to a Kerberos service principal. This is done from the command line using ktpass.exe .
KTPASS Usage:
ktpass -princ SERVICE/FQDN@NT-DNS-REALM-NAME -mapuser <USERNAME> -pass <PASSWORD> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab
Example:
ktpass -princ HTTP/[email protected] -mapuser web-proxy.domain.lan -pass Str0ngP@ssw0rd -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab
Note: The '-crypto' and '-ptype' vary depending on what version of Windows Server you're running.
Windows 2008 - 2008 R2:
-crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
Windows 2003 SP1 - 2003 R2:
-crypto RC4-HMAC-NT -ptype KRB5_NT_SRV_HST
Windows 2003:
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
Windows 2000:
-crypto DES-CBC-MD5
Once the .keytab is created it needs to be transferred to the squid server. WinSCP works well for this, but a thumb drive or CD would also work.
FreeBSD
You'll also need to set the hostname of the squid server to match the DNS record you just created.
On FreeBSD you set the hostname in /etc/rc.conf by setting:
hostname="web-proxy.domain.lan"
You'll also need to change /etc/hosts to match
192.168.99.254 web-proxy.domain.lan web-proxy
Now reboot your FreeBSD box to make the changes take effect.