Text only | Text with Images

OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: HughJazz84 on April 30, 2019, 12:53:48 AM

Title: web Proxy sso
Post by: HughJazz84 on April 30, 2019, 12:53:48 AM
hey all,

so i have the webproxy sso plugin installer, configured and it passes all chks and seems to work, when I test the kerberos login i get

Password for hxxxx@INTERNAL.EXAMPLE.CA:
AF oRQwEqADCgEAoQsasdfSqGSIb3EgECAg== hxxx@INTERNAL.EXAMPLE.CA
BH quit command

so it seems to be working.... but when I try to use the web browser, it downloads the wpad.dat file and then asks for authentication.

cache.log has many examples of
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

how can I debug the kerberos authentication and ensure that kerberos auth and not ntlm are being processed.

I think im close, but i cant for the life of me get this last step...

Thanks in advance

Hugh
Title: Re: web Proxy sso
Post by: Kekek on April 30, 2019, 05:34:05 AM
The proxy server address must be specified as FQDN. You cannot specify an IP address.
Title: Re: web Proxy sso
Post by: cristian_asir on April 30, 2019, 08:28:44 AM
Quote from: HughJazz84 on April 30, 2019, 12:53:48 AM
hey all,

so i have the webproxy sso plugin installer, configured and it passes all chks and seems to work, when I test the kerberos login i get

Password for hxxxx@INTERNAL.EXAMPLE.CA:
AF oRQwEqADCgEAoQsasdfSqGSIb3EgECAg== hxxx@INTERNAL.EXAMPLE.CA
BH quit command

so it seems to be working.... but when I try to use the web browser, it downloads the wpad.dat file and then asks for authentication.

cache.log has many examples of
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

how can I debug the kerberos authentication and ensure that kerberos auth and not ntlm are being processed.

I think im close, but i cant for the life of me get this last step...

Thanks in advance

Hugh


Hello friend, can u please help me with ldap integration with kerberos plugin?
Title: Re: web Proxy sso
Post by: HughJazz84 on April 30, 2019, 02:04:45 PM
i am using FQDN in the wpad file, i also tried manually configuring it with the FQDN and got the same result.

What is the best way to debug the KERB auth exchange?

Hugh
Title: Re: web Proxy sso
Post by: HughJazz84 on April 30, 2019, 02:29:06 PM
christian:  once i get it working, i would be happy to.  right now, I dont have it working so I need to focus on my system.

Hugh
Title: Re: web Proxy sso
Post by: distrimed on February 21, 2020, 02:52:48 PM
Hello
i cant find any intel about how to configure the sso.
You said that all look like ok for you
could you tell me how do you do that
thank
Text only | Text with Images