Windows AD and SSO

[rgemmell]

Ok, as follows:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
    Confirmed, set to domain controllers only
OPNsense must have a hostname in AD DNS (A and PTR)
   Confirmed, I can ping the hostname
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
   Confirmed, syncing with DC
OPNsense must be in same domain as AD (hostname configuration page)
   Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE
Create a new Authorization server with ssoproxyad type
   Confirmed, tested authentication and it works

[domg]

OPNsense must be in same domain as AD (hostname configuration page)
   Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE

And the domain ?

[rgemmell]

Sorry, thats there too.

[domg]

Basically the plugin use the same configuration described here http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#Configuring_a_Squid_Server_to_authenticate_off_Active_Directory

I still think it's a DNS problem my AD DNS contains this (sorry it's in french, but the important part is opnsense A and PTR)

[rgemmell]

So I can confirm the following:
PRT record for the DC: bwx-hilt-dc01.bwt.local. - 192.168.1.254
A record for the firewall: HILT-OPNSENSE.bwt.local - 192.168.1.77

[domg]

You need also a PTR record for HILT-OPNSENSE.bwt.local

[rgemmell]

Alright, I added that. I get the following:
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}

I am reading the Wiki page you sent and trying a few things. Will let you know how things go.

[domg]

Could you run the following from console (respect upppercase)

Code: [Select]

# cat /etc/resolv.conf
# dig -x 192.168.1.77
# dig hilt-opnsense.bwt.local
# cat /usr/local/etc/ssoproxyad/krb5.conf
# kinit Administrateur@BWT.LOCAL
# klist
# /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name HILT-OPNSENSE --upn HTTP/hilt-opnsense.bwt.local --server bwx-hilt-dc01.bwt.local --enctypes 28 --verbose

[rgemmell]

Hi Guys

It seems to have come right.
I was having issues with time which was odd as both DC and firewall were correct.
I have attached the CLI history for your reference.

Thanks a million for all your help. I learnt a lot from all the digging around.

Will continue to test to see how things go.

Kind regards

[domg]

rgemmell,

Cool  Ah right I missed clock problem. Now you should have a /usr/local/etc/ssoproxyad/PROXY.keytab file and your OPNsense in AD (ou=computers).
Last step, you need to reset computers in AD and try updateDomain button.

And proxy SSO should work in IE,  check in OPNsense /var/log/squid/access.log file

The plugin miss an updateDomain crontab to update computer account (it expires every 30 days). I do not know what happens if computer is not updated in time...

[voljek]

Hi !

Prerequisites:
+ OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
+ OPNsense must have a hostname in AD DNS (A and PTR)
+ OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
+ OPNsense must be in same domain as AD (hostname configuration page)
+ Create a new Authorization server with ssoproxyad type

Configuration:
+ Configure Single-Sign-On page with appropriate information
- Execute joinDomain button

Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method) additional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-"kinit"ing.--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
--------------

opnsense-devel-17.1.b_91, ospriv-web-proxy-sso-0.3

 Active Directory Domain Name: orghim.int
 Active Directory Domain Controller: svdc
 Active Directory Domain Version: 2008
 Active Directory Domain User: administrator
 pass ...
-----------------
opns.orghim.int - 192.168.145.31 - proxy server
svdc.orghim.int - 192.168.145.231 - DC 2008r2

time on opns and svdc is same.

root@opns:/ # less /etc/resolv.conf
domain orghim.int
nameserver 192.168.145.231

root@opns:/ # dig -x 192.168.145.31
;; ANSWER SECTION:
31.145.168.192.in-addr.arpa. 3600 IN    PTR     opns.orghim.int.

;; Query time: 1 msec
;; SERVER: 192.168.145.231#53(192.168.145.231)
;; WHEN: Sat Jan 07 13:13:02 EET 2017

root@opns:/ # dig opns.orghim.int
;; ANSWER SECTION:
opns.orghim.int.        3600    IN      A       192.168.145.31

root@opns:/ # dig -x 192.168.145.231
;; ANSWER SECTION:
231.145.168.192.in-addr.arpa. 1200 IN   PTR     svdc.orghim.int.

root@opns:/ # dig svdc.orghim.int
;; ANSWER SECTION:
svdc.orghim.int.        3600    IN      A       192.168.145.231

root@opns:/ # less /usr/local/etc/ssoproxyad/krb5.conf
[libdefaults]
    default_realm = ORGHIM.INT
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab

; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
    ORGHIM.INT = {
        kdc = svdc.orghim.int
        admin_server = svdc.orghim.int
        default_domain = orghim.int
    }

[domain_realm]
    .orghim.int = ORGHIM.INT
    orghim.int = ORGHIM.INT

root@opns:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@ORGHIM.INT

  Issued                Expires               Principal
Jan  7 13:15:09 2017  Jan  7 23:15:09 2017  krbtgt/ORGHIM.INT@ORGHIM.INT

root@opns:/ # /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name OPNS --upn HTTP/opns.orghim.int --server svdc.orghim.int --enctypes 28 --verbose
 
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 87
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-1MV5Cr
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: OPNS$
 -- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/opns.orghim.int from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for OPNS$ with password.
 -- create_default_machine_password: Default machine password for OPNS$ is opns
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: svdc.orghim.int
Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)
        additional info: SASL(-4): no mechanism available: No worthy mechs found
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
 -- ~KRB5Context: Destroying Kerberos Context


HELP !!!!

[mmorev]

Join to voljek's question. Absolutely same issue, can't join domain neither through web-gui, nor through kinit/msktutil. Please, help

[franco]

The SSO plugin is still under development. I will see if I can reach domg for an update.


Cheers,
Franco

[schoenauer]

Hi!
What about the development of the SSO plugin. We're using 17.1.2 but there's still no possbility to use SSO/AD in a simple way. Do you know the roadmap for that?

Kind regards

[franco]

Hi,

There is no roadmap here because the work is being done by an external contributor.


Cheers,
Franco