OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Web-Proxy SSO
« previous next »
  • Print
Pages: [1]

Author Topic: Web-Proxy SSO  (Read 4273 times)

AndyX90

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 2
    • View Profile
Web-Proxy SSO
« on: November 26, 2017, 10:12:52 am »
Hey guys,

i'm trying to get WebProxy-SSO to work but it won't...
The checklist in plugin is okay.

If i click CREATE KEYTABLE it shows the following:
Quote
Password for Administrator@XXXXX.LOCAL:
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 82
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXX.LOCAL for procotol tcp
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXX.LOCAL for procotol udp
 -- get_dc_host: Attempting to find a Domain Controller to use (DNS domain)
 -- get_dc_host: Found DC: XXXXX.LOCAL
 -- get_dc_host: Canonicalizing DC through forward/reverse lookup...
 -- get_dc_host: Found Domain Controller: XXXXX.XXXXX.local
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-3PVDF8
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: FIREWALL$
 -- try_machine_keytab_princ: Trying to authenticate for FIREWALL$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for FIREWALL$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/firewall.XXXXX.local from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for FIREWALL$ with password.
 -- create_default_machine_password: Default machine password for FIREWALL$ is firewall
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: XXXXX.XXXXX.local
SASL/GSSAPI authentication started
....

In proxy-log it shows:
Quote
:2017/11/26 09:30:11| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2017/11/26 09:30:10   kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

Any suggestions?

THX
Logged

AndyX90

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 2
    • View Profile
Re: Web-Proxy SSO
« Reply #1 on: January 07, 2018, 07:35:58 pm »
Okay i figured out that there is a DNS Problem. If i go to Interfaces -> Diagnostics -> DNS Lookup and i try to resolve the ip of my DC then i get random outputs with each click on "DNS Lookup". Either i get response with type "SOA   a.root-servers.net." or i get response  with type "A x.x.x.x(correct ip)". I have configured unbound with local domain override.
Any ideas?
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Web-Proxy SSO
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2