Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOWTO] Configure Squid Proxy for Kerberos Authentication Using Centrify's keytabs

Authentication Service ,  

1 October,20 at 03:56 PM

The purpose of this article is to demonstrate an implementation of Centrify's keytab with another application. Centrify is not responsible for the setup below nor do we support it.


What is Squid Proxy and why should I care?

Squid Proxy gives organizations greater control over web-browsing practices with access control lists (ACLs) and reduces bandwidth by caching webpages for faster retrieval. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
 

Setup is as simple as ABC:

A. Installation and configuration of Centrify Infrastructure Services
B. Installation and configuration of Squid Proxy
C. Testing and confirmation

For our demonstration, we will be using these configurations:
Squid server hostname: squid
Squid server IP address: 192.168.2.41

Active Directory administrative account: administrator@moon.cat
Domain: moon.cat


A. Installation and configuration of Centrify Infrastructure Services

1. Confirm the server's forward and reverse lookup with nslookup:
nslookup <hostname>
nslookup <ip address>


User-added image
 
2. Install CentrifyDC and CentrifyDC-openssh. Instructions to do so can be found here.

3. Join the server to the domain with adjoin:
adjoin -z <zone name> -c <container to place computer object> -u <domain admin> <domain name>
e.g. adjoin -z global_nix -c "ou=computers,ou=centrify,dc=moon,dc=cat" -u administrator@moon.cat moon.cat

User-added image
 
4. Add HTTP service principal names using adkeytab:
adkeytab --addspn --principal http/<FQDN of host>@<domain name> --principal http/<short name of host>@<domain name> -u <domain admin>
e.g. adkeytab --addspn --principal http/squid.moon.cat@MOON.CAT --principal http/squid@MOON.CAT -u administrator@moon.cat

User-added image

5. Allow the Centrify keytab to be readable by squid using chown:
chown squid:squid /etc/krb5.keytab
 

B. Installation and configuration of Squid Proxy

1. Install Squid Proxy using yum:
yum install squid

2. Allow port 3128 (Squid Proxy's listening port) on the firewall and restart the service:
firewall-cmd --zone=public --add-port=3128/tcp --permanent
systemctl restart firewalld

3. Configure squid proxy to use the keytab generated by Centrify and Kerberos authentication.
At the top of /etc/squid/squid.conf, add the following lines:
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/krb5.keytab -d -s http/<FQDN of host>@<domain name>
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl authenticated_user proxy_auth REQUIRED
http_access deny !authenticated_user

User-added image

More information about the configuration file can be found here

4. Create a cache for Squid Proxy and start the service:
squid -z
systemctl start squid


C. Testing and confirmation

1. Tail the Squid Proxy log file:
tail -f /var/log/squid/cache.log

2. Route traffic to the Squid Proxy on a Windows machine by configuring the Proxy server of the Local Area Network (LAN) Settings in Internet Options:

User-added image

3. From your favorite browser, navigate to a website, and watch the tail of the log. We should see a successful Kerberos negotiation with the AD account of the user we're logged in as:

User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.