Squid Proxy integration with Active Directory – The quick and simple way

UPDATE: This guide originally showed you how to configure Squid to authenticate with Pam. However as many people have been searching for ways to authenticate with Kerberos, I have updated this article to refect the necessary changes.

The upside is, you now have Single Sign On (SSO) as a bonus. Your users will not be prompted for authentication when accessing the proxy server.

 

So, before we start. This guide will walk you through setting up a Red Hat Enterprise Linux 6.3 server running Squid Cache to authenticate Active Directory 2008R2 users.

Before proceeding with this article, please make sure you have added your Linux server to the Active Directory domain.You can use the guide here to get up and running quickly.

Now that we have the prerequisite completed, lets crack on.

1. Install the necessary packages.

yum install -y squid

2. Set Squid to start on boot

chkconfig squid on

3. Edit /etc/squid/squid.conf and add the below lines to the top of the file.

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
acl ad_auth proxy_auth REQUIRE

4. Edit /etc/squid/squid.conf again, to change the rules that allow access to Squid.
Find the section “INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS” and change the lines beneath to reflect the following.

#http_access allow localnet
#http_access allow localhost
http_access allow ad_auth

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

5. Now we need to create a service principle keytab file from Active Directory. You will need to install msktutil from the EPEL repositories to do this.

[root@proxy01 /]# yum install -y msktutil

[root@proxy01 /]# kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM:
[root@proxy01 /]# msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab --computer-name proxy02 --upn HTTP/proxy02.example.com --server dc01.example.com --enctypes 28    

[root@proxy01 /]# chgrp squid /etc/squid/squid.keytab

[root@proxy01 /]# chmod 740 /etc/squid/squid.keytab

 

6. Update your Squid startup script to load your new keytab file on service startup.

Edit /etc/init.d/squid and find the section that looks as follows

start() {
probe

parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
.......

and add the two additional lines so it appears as follows

start() {
KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME
probe

parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
.......

Save and exit, then start/restart the service

[root@proxy01 /]# service squid restart
Stopping squid: ................                           [  OK  ]
Starting squid: .                                          [  OK  ]
[root@proxy01 /]#

7. Open port 3128 on your local firewall

iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
service iptables save

8. Configure your browser of choice to point to your Squid server. Please refer to your Browsers documentation on how to do this.

9. Watch the Squid logs whilst you attempt to browse the web

tail -f /var/log/squid/*

When you browse to a url, if all things work perfectly, you will proceed to the url. This means your authentication was successful.

10. Verify the output in your logs.
If you have authenticated successful in your browser, you will see something like the below in your logs. In this situation, I authenticated as the user “wuser1”.

==> /var/log/squid/access.log
1343654614.470   2902 10.0.2.200 TCP_MISS/200 15355 GET http://www.redhat.com/ wuser1@EXAMPLE.COM DIRECT/2.19.119.214 text/html

17 comments on “Squid Proxy integration with Active Directory – The quick and simple way

  1. Roloand September 4, 2013 19:49

    Great tutorial,

    Is this tutorial applicable to a Windows 2003 domain?

    Roland

  2. kastro October 22, 2013 13:38

    This procedure will ask for a login prompt to the users who r not on the domain.

    • Dale Macartney October 28, 2013 09:20

      Hi kastro

      Yes this is correct. Single Sign On validates the authentication from the domain to which the users and the computers are associated to.

      If any user accesses the proxy with a non-domain user account or computer, they will be prompted for a domain username and password.

      Dale

  3. David Zhang December 16, 2013 22:54

    Great! Thank you very much for sharing

  4. Kazuma April 8, 2014 09:19

    Hi Dale,

    I want to know the capacity to use a proxy squid with redhat 6.3 just for the authentication with active directory with windows 2008 r2 to be great. I will use only the proxy for that ans i need a good conf for the server redhat, how much RAM, Disk etc to be fine for sure.

    Help will be apreciate 🙂 Sorry for my bad english level

  5. Agnelo Fernandes May 12, 2014 18:27

    Hi Dale,
    Thanks allot for sharing this great article.
    After following all the steps in this article (and the previous one) when I try to use IE 11 with this squid as proxy server it doesn’t work and I found this lines in cache.log:

    2014/05/12 18:16:32 kid1| helperOpenServers: Starting 1/10 ‘negotiate_kerberos_auth’ processes
    2014/05/12 18:16:32 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: “received type 1 NTLM token”; }}
    2014/05/12 18:16:34 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: “received type 1 NTLM token”; }}
    2014/05/12 18:17:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: “received type 1 NTLM token”; }}

    I’m using squid 3.4.4 with Centos 6.5 x86_64. Instead of squid_kerb_auth this squid version has negotiate_kerberos_auth.

    Can you help me on this?

    Regards,
    Agnelo

  6. Parag July 1, 2014 02:59

    Hi, Great work !!
    i have to assign win active directory groups access for certain websites…
    so that i downt hav to go and do changes in squid.conf every time…

    example : groupyahoo –> members of groupyahoo can access yahoo.com

  7. Birendra July 21, 2014 13:39

    Step 5. [root@proxy01 /]# msktutil -c -b “CN=COMPUTERS” -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab –computer-name proxy02 –upn HTTP/proxy02.example.com –server dc01.example.com –enctypes 28

    Which server are you indicating as proxy02.example.com

  8. titi July 31, 2014 09:15

    Hi,

    I followed the 2 tutorials (joining linux to NT domain and this one), but when I configured the browser to point on the IP / port, it’s always requiring authentication and normal user is not authorized, only admin domain is accepted? Could you help please!

  9. Shailendra Sharma September 12, 2014 10:30

    Hello Dale Macartney,
    Thanks for your great writeup. I followed the same on CentOS 6.5 with Active Directory windows Server 2008 R2 Server but I am failing to browse using proxy. It brings error message

    “authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned ‘BH received type 1 NTLM token'”

    What could be the reason?

    Thanks

  10. Luis September 18, 2014 20:45

    Hi,
    I have a question. In this line:

    [root@proxy01 /]# msktutil -c -b “CN=COMPUTERS” -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab –computer-name proxy02 –upn HTTP/proxy02.example.com –server dc01.example.com –enctypes 28

    the proxy02.example.com is a second proxy server?

  11. Ramin November 13, 2014 22:49

    Dear Dale Macartney,
    I got following error
    ==> /var/log/squid/access.log /var/log/squid/cache.log <==
    2014/11/14 02:44:02| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:44:12| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:45:38| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:45:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:46:05| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:46:22| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:46:27| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:46:28| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:46:30| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
    2014/11/14 02:46:33| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'

    What is the problem. Could you please help me.
    Thanks in advanced!

  12. Angelo Polatto August 13, 2015 12:56

    Amazing step by step, there is some dependencies that are not seen here, however with some basic research over internet I was capable of make it work, thanks for your help!

  13. Ryan February 25, 2016 16:01

    Great tutorial. I’m running into a couple issues on CentOS 7, as it uses systemd. Thus, there is no /etc/init.d/squid file, making step 6 a challenge. In addition, I do not have /usr/lib64/squid/squid_kerb_auth on my system (line 1 of Step 3). Not sure if I have to grab that from somewhere or if I missed a package along the line. If you have any suggestions, they would be appreciated. Thanks!

  14. Nilesh Gavali June 8, 2016 19:53

    Hello Dale;
    Thanks for the simple article.

    followed the steps given but getting below error in cache.log

    squid_kerb_auth: ERROR: gss_accept_sec_context () failed: Unspecified GSS failure. Minor code may provide more information.
    authenticateNegotiateHandlereply: Error validating user via negotiate. Error returned ‘BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.

    your helpp will be much appriciate.

    regards;
    Nilesh Gavali.

  15. jeans manuel August 15, 2016 18:59

    Hello
    I have a dominio.com, found in Windows 2012R2
    and I want to mount a linux squid proxy, and that user groups authenticates domain with ACTIVE DIRECTORY
    I want to explain to me, as I can use ACTIVE DIRECTORY users in the proxy linux?
    ——————————————————————————
    Tengo un dominio en windows SERVER 2012R2 DATACENTER y deseo un proxy con linux (squid) y que los usuarios creados en el Active Directory (aparezcan, integrado, sincronicen) con el SQUID?
    que los usuarios de windows sean los mismo que en linux?
    ********************************
    I have a domain in Windows Server 2012R2 and desire DATACENTER with linux proxy (squid) and that users created in the Active Directory (appear, integrated, synchronized) with the SQUID?
    Windows users are the same as in linux?

Leave a Reply to Ryan Cancel Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>