Show Posts
1
17.1 Legacy Series / Re: Windows AD and SSO
« on: January 07, 2017, 12:21:08 pm »
Hi !
Prerequisites:
+ OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
+ OPNsense must have a hostname in AD DNS (A and PTR)
+ OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
+ OPNsense must be in same domain as AD (hostname configuration page)
+ Create a new Authorization server with ssoproxyad type
Configuration:
+ Configure Single-Sign-On page with appropriate information
- Execute joinDomain button
Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method) additional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-"kinit"ing.--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
--------------
opnsense-devel-17.1.b_91, ospriv-web-proxy-sso-0.3
Active Directory Domain Name: orghim.int
Active Directory Domain Controller: svdc
Active Directory Domain Version: 2008
Active Directory Domain User: administrator
pass ...
-----------------
opns.orghim.int - 192.168.145.31 - proxy server
svdc.orghim.int - 192.168.145.231 - DC 2008r2
time on opns and svdc is same.
root@opns:/ # less /etc/resolv.conf
domain orghim.int
nameserver 192.168.145.231
root@opns:/ # dig -x 192.168.145.31
;; ANSWER SECTION:
31.145.168.192.in-addr.arpa. 3600 IN PTR opns.orghim.int.
;; Query time: 1 msec
;; SERVER: 192.168.145.231#53(192.168.145.231)
;; WHEN: Sat Jan 07 13:13:02 EET 2017
root@opns:/ # dig opns.orghim.int
;; ANSWER SECTION:
opns.orghim.int. 3600 IN A 192.168.145.31
root@opns:/ # dig -x 192.168.145.231
;; ANSWER SECTION:
231.145.168.192.in-addr.arpa. 1200 IN PTR svdc.orghim.int.
root@opns:/ # dig svdc.orghim.int
;; ANSWER SECTION:
svdc.orghim.int. 3600 IN A 192.168.145.231
root@opns:/ # less /usr/local/etc/ssoproxyad/krb5.conf
[libdefaults]
default_realm = ORGHIM.INT
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
ORGHIM.INT = {
kdc = svdc.orghim.int
admin_server = svdc.orghim.int
default_domain = orghim.int
}
[domain_realm]
.orghim.int = ORGHIM.INT
orghim.int = ORGHIM.INT
root@opns:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@ORGHIM.INT
Issued Expires Principal
Jan 7 13:15:09 2017 Jan 7 23:15:09 2017 krbtgt/ORGHIM.INT@ORGHIM.INT
root@opns:/ # /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name OPNS --upn HTTP/opns.orghim.int --server svdc.orghim.int --enctypes 28 --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 87
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-1MV5Cr
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPNS$
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/opns.orghim.int from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPNS$ with password.
-- create_default_machine_password: Default machine password for OPNS$ is opns
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: svdc.orghim.int
Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
-- ~KRB5Context: Destroying Kerberos Context
HELP !!!!
Prerequisites:
+ OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
+ OPNsense must have a hostname in AD DNS (A and PTR)
+ OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
+ OPNsense must be in same domain as AD (hostname configuration page)
+ Create a new Authorization server with ssoproxyad type
Configuration:
+ Configure Single-Sign-On page with appropriate information
- Execute joinDomain button
Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method) additional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-"kinit"ing.--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
--------------
opnsense-devel-17.1.b_91, ospriv-web-proxy-sso-0.3
Active Directory Domain Name: orghim.int
Active Directory Domain Controller: svdc
Active Directory Domain Version: 2008
Active Directory Domain User: administrator
pass ...
-----------------
opns.orghim.int - 192.168.145.31 - proxy server
svdc.orghim.int - 192.168.145.231 - DC 2008r2
time on opns and svdc is same.
root@opns:/ # less /etc/resolv.conf
domain orghim.int
nameserver 192.168.145.231
root@opns:/ # dig -x 192.168.145.31
;; ANSWER SECTION:
31.145.168.192.in-addr.arpa. 3600 IN PTR opns.orghim.int.
;; Query time: 1 msec
;; SERVER: 192.168.145.231#53(192.168.145.231)
;; WHEN: Sat Jan 07 13:13:02 EET 2017
root@opns:/ # dig opns.orghim.int
;; ANSWER SECTION:
opns.orghim.int. 3600 IN A 192.168.145.31
root@opns:/ # dig -x 192.168.145.231
;; ANSWER SECTION:
231.145.168.192.in-addr.arpa. 1200 IN PTR svdc.orghim.int.
root@opns:/ # dig svdc.orghim.int
;; ANSWER SECTION:
svdc.orghim.int. 3600 IN A 192.168.145.231
root@opns:/ # less /usr/local/etc/ssoproxyad/krb5.conf
[libdefaults]
default_realm = ORGHIM.INT
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
ORGHIM.INT = {
kdc = svdc.orghim.int
admin_server = svdc.orghim.int
default_domain = orghim.int
}
[domain_realm]
.orghim.int = ORGHIM.INT
orghim.int = ORGHIM.INT
root@opns:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@ORGHIM.INT
Issued Expires Principal
Jan 7 13:15:09 2017 Jan 7 23:15:09 2017 krbtgt/ORGHIM.INT@ORGHIM.INT
root@opns:/ # /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name OPNS --upn HTTP/opns.orghim.int --server svdc.orghim.int --enctypes 28 --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 87
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-1MV5Cr
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPNS$
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/opns.orghim.int from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPNS$ with password.
-- create_default_machine_password: Default machine password for OPNS$ is opns
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: svdc.orghim.int
Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
-- ~KRB5Context: Destroying Kerberos Context
HELP !!!!