Kerberos provides a centralized authentication server whose function is to authenticate users to SafeSquid.
The Kerberos Authentication mechanism identifies a user that has already "logged" or "signed" into the Network Domain
The mechanism requires the applications such as the Internet Browsers employed by the users to provide the credentials without interactive prompts.
Kerberos encrypts passwords before transmitting it and once you and the server have proved your identities to each other, Kerberos uses secret-key cryptography to secure the rest of your communications.
However, there are situations where Kerberos authentication breaks
You can encounter problems such are popups for user authentication, connection to proxy server failed.
Below are few such cases.
To troubleshoot issues related to Kerberos search for the string "Kerberos" in SafeSquid’s native log
Code: Select all
less /var/log/safesquid/native/safesquid.logFor situations where you find similar output in SafeSquid’s native log which mentions "Failed to write FILE credential data"
Code: Select all
Non-authoritative answer:
Name: ad.safesquid.lab
Address: 10.102.1.10
kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kinit: krb5_init_creds_store: Failed to write FILE credential data
kerberos : kerberos : /usr/bin/kinit: failed
kerberos : kinit: failed]
[LDAP Cache Manager] ldap: debug: init_routine_unlocked:368 connection not exists in pool for domain safesquid.lab
[SqScan Updater] header: debug: header_get_reconnect:1055 timeout(75) swgupdates.safesquid.net 10.102.1.13:26053 ENOTCONN:0 swgupdates.safesquid.net
[Image Scanner Setup] header: debug: header_get_reconnect:1055 timeout(75) swgupdates.safesquid.net 10.102.1.13:20053 ENOTCONN:0 swgupdates.safesquid.net
[SSqore Setup] header: debug: header_get_reconnect:1055 timeout(75) swgupdates.safesquid.net 10.102.1.13:12117 ENOTCONN:0 swgupdates.safesquid.net
[LDAP Cache Manager] ldap: debug: get_ld:1327 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
[Content Magic Setup] header: debug: response headers from swgupdates2.safesquid.net 10.102.1.13:22041 161.35.135.35:443:Code: Select all
df -kh /tmpkinit is unable to generate Kerberos credential cache file.
- Slide1.JPG (34.23 KiB) Viewed 3951 times
Easiest way and recommended way to clean /tmp directory is to reboot the host system, because of which /tmp directory will create some free space.
For users you have manually create free space in /tmp directory
restart your safesquid service.
Code: Select all
/etc/init.d/monit stop; /etc/init.d/safesquid stop; /etc/init.d/monit startCode: Select all
proxy.safesquid.lab has address 10.102.1.12
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/master.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name master --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 82
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-MC77ea
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy$
-- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-YFsU4o
-- finalize_exec: Authenticated using method 1
-- LDAPConnection: Connecting to LDAP server: ad.safesquid.labCase#2 HTTP.keytab file not found. - (Authenticated using method 5)
A keytab is a file containing pairs of Kerberos principals and encrypted keys that are derived from the Kerberos password.
A common scenario where HTTP.keytab file can not be preset at the time of Kerberos initialization is when HTTP.keytab file are removed or missing.
- Slide3.JPG (73.89 KiB) Viewed 3951 times
Removed HTTP.keytab and HTTP.keytab.<doamin> will re-generate when SafeSquid restarts.
- Slide2.JPG (86.72 KiB) Viewed 3951 times
Validating the logs.
Code: Select all
kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --create --verbose --base CN=COMPUTERS --service HTTP/proxy.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name proxy --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 82
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-nAQP2W
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy$
-- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for PROXY$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/proxy.safesquid.lab from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for proxy$ with password.
-- create_default_machine_password: Default machine password for proxy$ is proxy
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown code krb5 24)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
Code: Select all
security: warn: GSS_AUTH::validate_security_credentials gss_accept_sec_context: `u<84>^E
security: error: Kerberos: converting oid->string:150 failed: A token was invalid. unknown mech-code 0 for mech unknown
security: error: Kerberos: gss_accept_sec_context():213 failed: A token was invalid. unknown mech-code 0 for mech unknown
security: error: [IP:10.102.1.100] try_kerberos_authentication:490 could not validate: Negotiate oYIG9jCCBvKgAwoBAaKCBukEggblYIIG4QYJKoZIhvcSAQICAQBuggbQMIIGzKADAgEFoQMCAQ6iBwMFACAAAACjggT5YYIE9TCCBPGgAwIBBaEPGw1TQUZFU1FVSUQuTEFCoiYwJKADAgECoR0wGxsESFRUUBsTcHJveHkuc2FmZXNxdWlkLmxhYqOCBK8wggSroAMCARKhAwIBPaKCBJ0EggSZl84YSH2U6/APH/4DJICnPuuAhweGzg5eCPtb9Mhv4fyF88hOzT56J8T5tG1VRAVRp3cMA2IP2MVOikuQwtRW6RSDP+q2NoJeCqqiRCSCYyFrQZorr0O3kkYhiLIkhNwGbfTxDE+Jx6YNVRDa9EihCqeiw0lOPcUTcfsSHnAwlX2tpl+83XyDRSDl2mOhNWOqb+4VrVUyIaXw0Iu24LcV57gTVKEjnS8YH3kotr9yy3x7dQhp3KFfF7njk5gjAyB4YcF3IZpidbxJtm0zQZfccp8b+83vPkpZNcYYE88v7iHg372gw3qvuhtEnE11VFxOQOEsPNt7SxW8ynqy3WHVMDpikxlZCyrr8LzqdxspN3HGIqqB6tS6+265KkuNQejvat9xHkYWJND1Id7QmsTRVoPVPQ0urQttyFWooyC+uDIUkahYM45pUQBto388tbJPN1q3ML8tQmQVpaHWiUKewnIcgwrh4OSNd1rdMMIk9NeGfLDzmEcRhDJaMlLrgtzowhzYxweUuxCwBo8i26kx18mq5pO8RQmFYsDa8meRBBosRlL1FRsa5xnzIqSJ4xe00i29+B18+e1GYCs3B2JNFEkVztcXMu9Q81iQjlWjVmrzVqzosA8bBRUs4MDrMkTqtS4qlcu53evSDJEDEih1cQmlcRPohberxCUXhNF03F4Sik70OqAuzBvv1CgNDWKg6y7zJzlz+LrWMcDqBQh4Fz3Tu4+LEeZ2OgvQh8YHLOKRRBaTsoDbpXuCDJ1Op+hof6htlpNXt+xqpjwCSWBjLvJ5ma7qLdBZXxvoBBgCo5vymi3S6gfDRzwz417LKqM49+pWol4COPRCJJzg8oYDZVfGhOBgUfFi4AAEZjWA3safDdIA3QwtuOZZ9dLnd6CwaxW4uBW+p6ILeQzFjNhtshKIjIaCLaLLA5nmbSsld1sStCH8ZoprgMhtDMWw1owW+sOLvfwWLt4ABic92nRVw2F1b1qRL96R2mLdtOSccPJmlq0lq6+9G1yRnPSrJiF0qI3SVvV5TMtvoG188yn0qEaWB9lZA6geI1kMFuXfyQ6gDWYJAEt5Lc1TxgJ/LFlTc4h9kcGbtli4KJ3fIvAfOC6dClSmSa61LUYT+0Rj8L2OXCT8VEO/7EabM/88vVhMXHY/uCKdI6UZt/ik533M2miuWcgpXMMARZ61fuQewH5/iKnYX94RSWYd4zKzqCwDdEFk2te5Zfwly1XN0SjYPrx64tSLIn0WOuGL0XDYWv4vi6TtEsGSUEOD3aXd+h17RwQ+hhvS3McFVoo+CO5CTRpqvV4hJloBr5UzPzFtdTh88i5rTQXShHKZnOSEkoGXarE7kBFeo1M3dmTXbxnhtTsCvfJMem2STpDCXwUh32v66UrhlX6tlncr7H1LZYvYEwQYhpiTcHkDWCtoheBGYKZaxehDWWfGD6f+0tPPP7KeTwjSN7EwPICPv+6gwWdm7S3KTN0C9bLDCq5AcvUHzniGSK77LVGbyPewFreZuVJlOs7U1bWcXw+9D9l4uvGdFvcwMlrEsEe2n6MehsaqSCAbgwggG0oAMCARKiggGrBIIBp4UnIs1hwwMSw2Opw81nuJT6T85lFjPM4w3PqivH9qWL12Rn9WK2t7NTXziHkzlSThjznLXmX+bHgsxB/dWkmObcD+i6twlSACEV8EY3x2rMpp18MQm2Vl1+WKAdWpAmsSoZ8hbnZ1Q+v0uIheelx2ILXZQRA98Xiwk6yh9fxwKmudSO5UuSqYFT6ePcCdIkSgFiX+isXn62TUs6FwXNVgwie12db7AY4gOAF3/fkwq5lEJRLNxk1klI7muT7KqrcuQqEqb1vIZDA4OsrxRyDLJwtI7u1sYDZCG+MnbYvLnNGphvnbAnM/LkBEq+9YmJP58ka3bWswcRKUsinDUXY8D6v3zamrwg54E8FL9inClfxNpjA11KZcwXM3iYTlPEz8amW7VUhlCXbKcS1GGw970qvln7QUxlXdFnAaQlZo3gLeuLPYXcW9pNmPII6cQV0ZkQHXmBOS6tnP+oHIYOftKbydgDv5ib2y4OT0qZaUilg6+L95Cd7eo9+cvmVs0W+gOsOeC4i3nwRcSaKBsn6zOfIZl0kWDKycLsq9V1+1aHSzATEbQ==
security: warn: cannot attempt alternate authentication to safesquid.auth.service
header: debug: url_command_extract:168 connection: HTTP_CONNECT
header: debug: header_send: client 10.102.1.12:8080 10.102.1.100:52613
HTTP/1.1 407 Proxy Authentication RequiredCode: Select all
/etc/init.d/monit stop; /etc/init.d/safesquid stop; /etc/init.d/monit startCode: Select all
kerberos :
#############
kerberos : KRB5_CONFIG: /usr/local/safesquid/security/krb5.conf
kerberos : KRB5_KTNAME: /usr/local/safesquid/security/HTTP.keytab
kerberos : AD_FQDN: ad.safesquid.lab
kerberos : CHECK_CONNECTIVITY: ad.safesquid.lab
ad.safesquid.lab has address 10.102.1.10
kerberos : kerberos : LDAP_USER: administrator
kerberos : AD_DOMAIN: safesquid.lab
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: ad.safesquid.lab
Address: 10.102.1.10
kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/proxy.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name proxy --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 81
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-eawnX7
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy$
-- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-YiRakL
-- finalize_exec: Authenticated using method 1
-- LDAPConnection: Connecting to LDAP server: ad.safesquid.lab
SASL/GSSAPI authentication started
SASL username: proxy$@SAFESQUID.LAB
Log out of your windows user account and then log back in.
Once your have logged back in, validate kerberos SSO
Code: Select all
security: debug: GSS_AUTH::validate_security_credentials gss_accept_sec_context: <A0><8F>}3<95>^?
security: debug: validate_security_credentials:207 authenticated Administrator@SAFESQUID.LAB oYG2MIGzoAMKAQChCwYJKoZIgvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuHgAO3YmLGD7tcILX4HGnfIzWAfbS5IE1aOCSuFy6pklup8B/sLpAbyXPgdfEkCCPwCBoUJQE8aUHLGQ0Bh0tJV36nPwOZP2tyrETkwPo5fAd8ULxs1fgHzjowjKo8T9jRlY79C3XdnnIP3f/0Qc=
security: [IP:10.102.1.100] kerberos: Negotiate:1 Administrator@SAFESQUID.LAB authenticated
ldap: debug: set_dn:1162 ip:[10.102.1.100] user:[ADMINISTRATOR@SAFESQUID.LAB] DN:[CN=Administrator,CN=Users,DC=safesquid,DC=lab] Groups:[CN=Administrators CN=Builtin DC=safesquid DC=lab,CN=Domain Admins CN=Users DC=safesquid DC=lab,CN=Enterprise Admins CN=Users DC=safesquid DC=lab,CN=Group Policy Creator Owners CN=Users DC=safesquid DC=lab,CN=Schema Admins CN=Users DC=safesquid DC=lab,CN=Users DC=safesquid DC=lab,ADMINISTRATOR@SAFESQUID.LAB]
profiles: Access Restrictions: Added Profile: Master UserCase#3 Using custom hostname in Windows Active Directory for DNS pointing
When using multiple instances of SafeSquid to achieve high availability (HA) using DNS round robin.
You are required to configure active directories DNS entry to have a common FQDN which point to multiple instances of proxy servers using IP address.
For example: proxy.safesquid.lab 10.102.0.1 & proxy.safesquid.lab 10.102.1.12
For this to work you need to set the hostname of the proxy server as your FQDN – proxy.safesquid.lab
In case where the hostname does not match with the DNS entry in your active directory, kerbreos authentication will fails.
Code: Select all
kerberos :
#############
kerberos : KRB5_CONFIG: /usr/local/safesquid/security/krb5.conf
kerberos : KRB5_KTNAME: /usr/local/safesquid/security/HTTP.keytab
kerberos : AD_FQDN: ad.safesquid.lab
kerberos : CHECK_CONNECTIVITY: ad.safesquid.lab
ad.safesquid.lab has address 10.102.1.10
kerberos : kerberos : LDAP_USER: administrator
kerberos : AD_DOMAIN: safesquid.lab
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: ad.safesquid.lab
Address: 10.102.1.10
kerberos : MY_FQDN: slave.safesquid.lab
kerberos : CHECK_CONNECTIVITY: slave.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : kerberos : lookup: failed MY_FQDN: slave.safesquid.lab
kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/slave.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name slave --upn HTTP/slave.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 89
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-qhDbf9
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: slave$
-- try_machine_keytab_princ: Trying to authenticate for slave$ from local keytab...
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-u9mQXO
-- finalize_exec: Authenticated using method 1
-- LDAPConnection: Connecting to LDAP server: ad.safesquid.labUpdate your hostname.
Code: Select all
hostnamectl set-hostname <proxy FQDN>Code: Select all
hostname -f - Screenshot 2022-12-26 172622.jpg (71.09 KiB) Viewed 3871 times
- Slide5.jpg (147.5 KiB) Viewed 3933 times
- Slide6.jpg (144.38 KiB) Viewed 3931 times
Code: Select all
less /var/log/safesquid/native/safesquid.logCode: Select all
kerberos :
#############
kerberos : KRB5_CONFIG: /usr/local/safesquid/security/krb5.conf
kerberos : KRB5_KTNAME: /usr/local/safesquid/security/HTTP.keytab
kerberos : AD_FQDN: ad.safesquid.lab
kerberos : CHECK_CONNECTIVITY: ad.safesquid.lab
ad.safesquid.lab has address 10.102.1.10
kerberos : kerberos : LDAP_USER: administrator
kerberos : AD_DOMAIN: safesquid.lab
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: ad.safesquid.lab
Address: 10.102.1.10
kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:
proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/proxy.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name proxy --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 79
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-lbVDIv
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy$
-- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-QH5OBO
-- finalize_exec: Authenticated using method 1
-- LDAPConnection: Connecting to LDAP server: ad.safesquid.lab
SASL/GSSAPI authentication started
SASL username: proxy$@SAFESQUID.LAB