Configuring Authentication on Active Directory for Squid Proxy

This guide provides a step-by-step guide to configuring Kerberos authentication for a Squid proxy server integrated with Active Directory (AD). This method is one of the authentication options available for end users on Nullafi Shield. The primary advantage of this approach is that it enables transparent authentication, allowing users to navigate their browsers without being prompted for credentials.

Prerequisites

Active Directory Domain: Ensure you have an Active Directory domain set up and accessible.
Kerberos and DNS Configuration: Ensure your AD is properly configured for Kerberos authentication and DNS resolution.
Squid Proxy Server: Have Squid proxy installed and running on your server.

Network Configuration

Step 1: Configure DNS

Specify the IP address of the DNS server or servers used for working with Active Directory on the server hosting the Squid service
Make sure that the Active Directory DNS zone is available. To do so, execute the command: (To use the dig utility, you may be required to install the bind-utils package in advance)
dig +short <Active Directory domain>
You will see A entries of Active Directory domain controllers.
Make sure that there is a PTR entry for each domain controller. To do so, execute the command
host <domain controller IP address>
You will see the PTR entry of the Active Directory domain controller.
Specify the name of the server hosting the Squid service. To do so, execute the command
hostnamectl set-hostname <name of the server hosting the Squid service>
The name of the server hosting the Squid service must match the name of this server on the DNS server.
Add A- and PTR entries on the Active Directory DNS server for the server hosting the Squid service
Make sure that the Active Directory domain controller is accessible from the server hosting the Squid service. To do so, execute the command:
ping <Active Directory domain controller name>
Make sure that the server hosting the Squid service is accessible from the Active Directory domain controller. To do so, execute the command
ping <name of the server hosting the Squid service>

Step 2: Create a Service Account for Squid in Active Directory

Open Active Directory Users and Computers:
Go to your AD server and open "Active Directory Users and Computers".
Create a New User:
Navigate to the appropriate Organizational Unit (OU) or create a new one.
Right-click, select New > User.
Name the user, e.g., squidproxy.
Assign a password. Ensure that "Password never expires" is checked.
Set SPN for the User:
Open Command Prompt as Administrator on the AD server.

Set the Service Principal Name (SPN) for the user. Use the following command:
setspn -A HTTP/<squid-server-name>.<domain-name> <domain-name>\<squidproxy>
Example:
setspn -A HTTP/squid.example.com example\squidproxy

Generate a Keytab File:

Run the following command to generate a keytab file for Squid:
ktpass -princ HTTP/<squid-server-name>@<domain-name> -mapuser <domain-name>\<squidproxy> -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass <password> -out squid.keytab
Example:
ktpass -princ HTTP/squid.example.com@EXAMPLE.COM -mapuser example\squidproxy -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass Password123 -out squid.keytab

Copy the squid.keytab file to your Squid server.

Nullafi Team side

In order to configure Squid we would need the following information:

Squid server name (full hostname)
Domain (full local domain)
Domain Controller IP address
Keytab file generate on step 2

Step 3: Configure Squid for Kerberos Authentication

Install Required Packages:

Ensure your Squid server has the required packages installed:
bash
Copy code
sudo apt-get install krb5-user squid

Copy the Keytab File:
Copy the squid.keytab file to the Squid server, typically in /etc/squid/.
Configure Kerberos Authentication:
Edit the Squid configuration file, usually located at /etc/squid/squid.conf.

Add the following lines to configure Kerberos authentication:

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/<squid-server-name>@<domain-name>
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth_users proxy_auth REQUIRED
http_access allow auth_users

Replace <squid-server-name> and <domain-name> with your actual server and domain names.
Configure Kerberos Settings:

Edit the Kerberos configuration file /etc/krb5.conf and ensure the following settings are correct:
[libdefaults]
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
kdc = <your-ad-server>
admin_server = <your-ad-server>
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Replace EXAMPLE.COM, .example.com, and <your-ad-server> with your domain and AD server details.

Step 4: Test the Configuration

Restart Squid:

Restart the Squid service to apply the configuration:
sudo systemctl restart squid

Test Kerberos Authentication:
From a client machine that is part of the domain, configure the browser to use the Squid proxy.
Access any HTTP website, and the authentication should be handled automatically by Kerberos.
Check Logs:
Review Squid logs at /var/log/squid/access.log to ensure users are authenticated properly.

in order to query the AD to know which groups an authenticated user belongs to, we need the a Domain user/pass with the following details:

Read Permissions on User Objects: The user account must have permissions to read the memberOf attribute of user objects in AD. This attribute lists the groups that the user is a member of.

Permissions needed:
Read memberOf attribute on user objects.
Read access to any groups or organizational units (OUs) containing user or group objects.

Directory Browsing Rights: The account must be able to query the AD directory and browse user information.

Permissions needed:
List Contents
Read All Properties

Nullafi Shield Configuration

Step 1: Configure the Authentication

Go to the Web Management Console
Click at Configuration -> ICAP on the sidebar
At the Security section, choose Proxy from the Authenticatin Method list.
Click at Save Changes