OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: AndyX90 on November 26, 2017, 10:12:52 am

Title: Web-Proxy SSO
Post by: AndyX90 on November 26, 2017, 10:12:52 am

Hey guys,

i'm trying to get WebProxy-SSO to work but it won't...
The checklist in plugin is okay.

If i click CREATE KEYTABLE it shows the following:

Quote

Password for Administrator@XXXXX.LOCAL:
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 82
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXX.LOCAL for procotol tcp
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXX.LOCAL for procotol udp
 -- get_dc_host: Attempting to find a Domain Controller to use (DNS domain)
 -- get_dc_host: Found DC: XXXXX.LOCAL
 -- get_dc_host: Canonicalizing DC through forward/reverse lookup...
 -- get_dc_host: Found Domain Controller: XXXXX.XXXXX.local
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-3PVDF8
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: FIREWALL$
 -- try_machine_keytab_princ: Trying to authenticate for FIREWALL$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for FIREWALL$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/firewall.XXXXX.local from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for FIREWALL$ with password.
 -- create_default_machine_password: Default machine password for FIREWALL$ is firewall
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: XXXXX.XXXXX.local
SASL/GSSAPI authentication started
....

In proxy-log it shows:

Quote

:2017/11/26 09:30:11| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2017/11/26 09:30:10   kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

Any suggestions?

THX

Title: Re: Web-Proxy SSO
Post by: AndyX90 on January 07, 2018, 07:35:58 pm

Okay i figured out that there is a DNS Problem. If i go to Interfaces -> Diagnostics -> DNS Lookup and i try to resolve the ip of my DC then i get random outputs with each click on "DNS Lookup". Either i get response with type "SOA   a.root-servers.net." or i get response  with type "A x.x.x.x(correct ip)". I have configured unbound with local domain override.
Any ideas?