Windows AD and SSO

Started by rgemmell, October 17, 2016, 04:46:09 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
November 01, 2016, 11:55:17 AM #30
Ok, as follows:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
    Confirmed, set to domain controllers only
OPNsense must have a hostname in AD DNS (A and PTR)
   Confirmed, I can ping the hostname
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
   Confirmed, syncing with DC
OPNsense must be in same domain as AD (hostname configuration page)
   Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE
Create a new Authorization server with ssoproxyad type
   Confirmed, tested authentication and it works
November 01, 2016, 12:09:57 PM #31
Quote from: rgemmell on November 01, 2016, 11:55:17 AM

OPNsense must be in same domain as AD (hostname configuration page)
   Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE
And the domain ?
November 01, 2016, 12:12:31 PM #32
Sorry, thats there too.
November 01, 2016, 12:26:31 PM #33
Basically the plugin use the same configuration described here http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#Configuring_a_Squid_Server_to_authenticate_off_Active_Directory

I still think it's a DNS problem my AD DNS contains this (sorry it's in french, but the important part is opnsense A and PTR)
November 01, 2016, 12:45:26 PM #34
So I can confirm the following:
PRT record for the DC: bwx-hilt-dc01.bwt.local. - 192.168.1.254
A record for the firewall: HILT-OPNSENSE.bwt.local - 192.168.1.77
November 01, 2016, 02:09:54 PM #35
You need also a PTR record for HILT-OPNSENSE.bwt.local
November 01, 2016, 04:04:21 PM #36
Alright, I added that. I get the following:
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}

I am reading the Wiki page you sent and trying a few things. Will let you know how things go.
November 01, 2016, 04:59:56 PM #37 Last Edit: November 01, 2016, 05:11:31 PM by domg
Could you run the following from console (respect upppercase)
Code Select

# cat /etc/resolv.conf
# dig -x 192.168.1.77
# dig hilt-opnsense.bwt.local
# cat /usr/local/etc/ssoproxyad/krb5.conf
# kinit Administrateur@BWT.LOCAL
# klist
# /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name HILT-OPNSENSE --upn HTTP/hilt-opnsense.bwt.local --server bwx-hilt-dc01.bwt.local --enctypes 28 --verbose
November 08, 2016, 12:31:22 PM #38
Hi Guys

It seems to have come right.
I was having issues with time which was odd as both DC and firewall were correct.
I have attached the CLI history for your reference.

Thanks a million for all your help. I learnt a lot from all the digging around.

Will continue to test to see how things go.

Kind regards
November 08, 2016, 05:08:14 PM #39
rgemmell,

Cool  :) Ah right I missed clock problem. Now you should have a /usr/local/etc/ssoproxyad/PROXY.keytab file and your OPNsense in AD (ou=computers).
Last step, you need to reset computers in AD and try updateDomain button.

And proxy SSO should work in IE,  check in OPNsense /var/log/squid/access.log file

The plugin miss an updateDomain crontab to update computer account (it expires every 30 days). I do not know what happens if computer is not updated in time...
January 07, 2017, 12:21:08 PM #40
Hi !

Prerequisites:
+ OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
+ OPNsense must have a hostname in AD DNS (A and PTR)
+ OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
+ OPNsense must be in same domain as AD (hostname configuration page)
+ Create a new Authorization server with ssoproxyad type

Configuration:
+ Configure Single-Sign-On page with appropriate information
- Execute joinDomain button

Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method) additional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-"kinit"ing.--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
--------------

opnsense-devel-17.1.b_91, ospriv-web-proxy-sso-0.3

Active Directory Domain Name: orghim.int
Active Directory Domain Controller: svdc
Active Directory Domain Version: 2008
Active Directory Domain User: administrator
pass ...
-----------------
opns.orghim.int - 192.168.145.31 - proxy server
svdc.orghim.int - 192.168.145.231 - DC 2008r2

time on opns and svdc is same.

root@opns:/ # less /etc/resolv.conf
domain orghim.int
nameserver 192.168.145.231

root@opns:/ # dig -x 192.168.145.31
;; ANSWER SECTION:
31.145.168.192.in-addr.arpa. 3600 IN    PTR     opns.orghim.int.

;; Query time: 1 msec
;; SERVER: 192.168.145.231#53(192.168.145.231)
;; WHEN: Sat Jan 07 13:13:02 EET 2017

root@opns:/ # dig opns.orghim.int
;; ANSWER SECTION:
opns.orghim.int.        3600    IN      A       192.168.145.31

root@opns:/ # dig -x 192.168.145.231
;; ANSWER SECTION:
231.145.168.192.in-addr.arpa. 1200 IN   PTR     svdc.orghim.int.

root@opns:/ # dig svdc.orghim.int
;; ANSWER SECTION:
svdc.orghim.int.        3600    IN      A       192.168.145.231

root@opns:/ # less /usr/local/etc/ssoproxyad/krb5.conf
[libdefaults]
    default_realm = ORGHIM.INT
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab

; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
    ORGHIM.INT = {
        kdc = svdc.orghim.int
        admin_server = svdc.orghim.int
        default_domain = orghim.int
    }

[domain_realm]
    .orghim.int = ORGHIM.INT
    orghim.int = ORGHIM.INT

root@opns:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@ORGHIM.INT

  Issued                Expires               Principal
Jan  7 13:15:09 2017  Jan  7 23:15:09 2017  krbtgt/ORGHIM.INT@ORGHIM.INT

root@opns:/ # /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name OPNS --upn HTTP/opns.orghim.int --server svdc.orghim.int --enctypes 28 --verbose

-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password:  Characters read from /dev/urandom = 87
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-1MV5Cr
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPNS$
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/opns.orghim.int from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPNS$ with password.
-- create_default_machine_password: Default machine password for OPNS$ is opns
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: svdc.orghim.int
Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)
        additional info: SASL(-4): no mechanism available: No worthy mechs found
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
-- ~KRB5Context: Destroying Kerberos Context


HELP !!!!
January 09, 2017, 01:02:38 PM #41
Join to voljek's question. Absolutely same issue, can't join domain neither through web-gui, nor through kinit/msktutil. Please, help :)
January 09, 2017, 01:09:37 PM #42
The SSO plugin is still under development. I will see if I can reach domg for an update.


Cheers,
Franco
March 03, 2017, 03:56:26 PM #43
Hi!
What about the development of the SSO plugin. We're using 17.1.2 but there's still no possbility to use SSO/AD in a simple way. Do you know the roadmap for that?

Kind regards
March 03, 2017, 04:11:13 PM #44
Hi,

There is no roadmap here because the work is being done by an external contributor.


Cheers,
Franco
Print
Go Up Pages 1 2 3 4
User actions