A comprehensive guide on how to integrate Windows Active directory
Active Directory (AD) services are crucial for network security and efficient user management within an organization.
High Security: Active Directory services provide layered security, encompassing various policies and permissions to ensure security at different levels.
This multi-tiered approach to security ensures that network resources are protected against unauthorized access.
Scalability and Extensibility: AD services are easily scalable, making them ideal for growing organizations.
They can be extended to accommodate new users, groups, and resources without compromising performance or security.
Consistent User Environment: Regardless of the computer or location from which users log on, Active Directory ensures they experience the same settings and access privileges.
This consistency is vital for organizations with multiple locations or remote workers.
Efficient Object Management: Active Directory provides a streamlined mechanism for locating and managing objects (users, groups, computers, etc.) within the network, enhancing overall administrative efficiency.
Integrating a proxy-based web gateway with Microsoft AD or OpenLDAP offers several advantages, especially for large network enterprises:
User Authentication: The integration allows for authentication of users based on their Directory Service credentials.
This means that users can access network resources and the internet using the same set of credentials, simplifying the login process, and enhancing security.
Access Control Based on Roles and Hierarchy: The web gateway can control user access to the web based on their roles and positions within the organization.
This ensures that users only access internet resources relevant to their job functions, enhancing both security and productivity.
Activity Logging and Reporting: With integration, the web gateway can log and report internet usage by individual users and groups.
This data is invaluable for HR managers and IT administrators for monitoring and analyzing web usage patterns within the organization, aiding in policy formulation and enforcement.
In summary, Active Directory services play a pivotal role in maintaining network integrity, managing user access efficiently, and ensuring a consistent user experience across an organization.
The integration of a proxy-based web gateway with AD or OpenLDAP centralizes user authentication and access control, streamlining network management and enhancing security.
How Kerberos authentication works
Prerequisites
Collect the following information before starting integration.
LDAP Server Fully Qualified Domain Name (FQDN) and IP address.
LDAP Administrator Username and Password. (You can provide any user from LDAP server who has administrator privileges)
LDAP Server Base DN
LDAP Server Domain name
Check the hostname and domain of your proxy server.
Disabling dnssec-validation
Why Disable dnssec-validation?
DNSSEC-validation in BIND 9 is the process of verifying the authenticity and integrity of DNS data using DNSSEC.
This process ensures that the DNS responses are not tampered with and are authentic as per the originating authoritative DNS server.
However, Active Directory's integrated DNS service, especially in older versions, may not fully support DNSSEC.
DNSSEC involves complex cryptographic operations for signing and validating DNS responses, which may not be natively handled by AD's DNS services.
How to disable dnssec-validation
Access command line interface of your proxy server
Edit the file using nano or vim /etc/bind/named.conf.options.
By default, dnssec-validation is set to yes.
when configuring SafeSquid to integrate with LDAP, change the value of dnssec-validation to no and save the file.
Now restart your bind9/named service.
Ensuring DNS resolution via Bind9/Named.
Why it is important for the name resolution to be done via bind9.
When integrating SafeSquid with your active directory (AD) server, a new zone file is created a zone file for bind9/named for conditional forwarding.
It means that all the DNS queries related to your domain will be resolved using your AD DNS server.
So, when using a name server other than bind9/named, safesquid will not be able to perform conditional DNS forwarding.
How to check the DNS server SafeSquid is using for name resolution.
You can validate using the below mentioned command.
nslookup safesquid.com
And the search domain should be set as your domain name.
Add if search domain is not present, then add the search domain in your netplan configuration.
vim /etc/netplan/01-netcfg.yaml and add search domain in the search section of the configuration.
After adding save and exit the file.
Apply changes made to the configuration file.
Now check your resolv.conf file
If you have multiple domains add the second right after the first domain with a space.
Now check your resolv.conf file
Check Directory permission of /tmp directory.
The /tmp directory to have read write and executable permission for all users.
This is essential because for the generation of Kerberos tickets, SafeSquid is required to generate temporary file.
You can give required permission to /tmp directory is below mentioned command.
chmod 777 /tmp
Check if your monit service is running and monitoring files.
Why is monit daemon required?
Monit is a versatile tool for managing and monitoring Unix systems, primarily used for automatic maintenance of services and system health monitoring.
It operates as a daemon, providing capabilities to restart failed services and track system metrics and configuration files.
Monit is used to monitor /usr/local/safesquid/security/dns/safesquid.dns.conf file.
safesquid.dns.conf file is responsible for your domain’s DNS conditional forwarding.
How to check monit status.
You can check the status of your monit using below mentioned command.
How to check service and file monitoring status for monit
Using monit summary you get a concise overview of the status of all services and system resources being monitored.
Check the status of watch.safesquid.dns.conf
Adding DNS Entry in your Active directory
Open “Server Manager”.
Click on “Forward Lookup Zones”
Select your domain.
Right click on your domain and select New Host(A or AAAA)
Enter the hostname and IP address of your proxy server
To check your hostname of your proxy server, just run the command hostname -f in your proxy server and it will show your complete hostname and using ifconfig -a command you can get IP address of your proxy server.
Ping your proxy server using its fqdn from your cmd of windows server.
Integrating your windows active directory server with SafeSquid
Open up SafeSquid’s web interfac http://safesquid.cfg
Go to configure -> Application Setup -> Integrate LDAP
Creating a new LDAP policy.
For the “Ldap FQDN\IP” enter your Ldap FQDN and IP as shown.
Select Ldap Bind Method as NEGOTIATE_LDAP_AUTH
Enter the username for the administrator account.
Enter your password twice.
Enter the Basedn.
Enter LDAP Domain
Save policy.
Now check if you can view your LDAP entries.
For situations where you are unable to
Go to Access restriction.
Set SSO as TRUE
Create a new access policy with PAM authentication set to TRUE.
Users can now access websites via proxy without providing credentials.
(Note: If you are not logged in for the first time try, sign out and sign back into your desktop.)
Configuring your client desktop
Check your DNS server.
Access your networking setting in windows.
Open run using win key + r and enter ncpa.cpl
Check the DNS settings of your network primary interface or the network interface which is connected to your corporate lan.
Click on details for additional details.
Your IPv4 DNS Server should be your AD server.
Configure proxy server in your client desktop.
Note: When configuring your proxy setting, ensure that you are using FQDN and not the IP address of your proxy server.
Open your browser and start browsing.
Note: you should be authenticated without requesting credentials, if you are requested for user authentication please recheck if you have followed all the mentioned steps correctly.
Note: you should be authenticated without requesting credentials, if you are requested for user authentication please recheck if you have followed all the mentioned steps correctly.
Validate using developer tools from any browser.
Validating using client_id
Related Articles
Integrate AD
Overview After successfully installing AD on the machine, we need to set up our AD. In this document we will show you how to set up Active Directory and add new users/ groups/ computers in our AD. After that we will have to link our LDAPAdmin with ...Integrate Active Directory For Simple Authentication
Overview Here I am integrating my Active Directory with following information. Active Directory FQDN : ad.safesquid.test IP Address : 192.168.221.1 Domain of Active Directory : safesquid.test Base Dn : dc=safesquid,dc=test User Name : ...Integrate Active Directory For SSO Authentication
Overview In given example we are integrating an Active Directory for SSO authentication. Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name)) ...Integrate a Linux Host with a Windows AD for Kerberos SSO authentication
Overview Kerberos Authentication support is particularly useful for Enterprise networks that have a Microsoft AD based Domain controller. By properly configuring the necessary Kerberos related factors, your enterprise Internet users can optionally ...Integrate OpenLDAP With SafeSquid
Overview Here I am integrating my Active Directory with following information. IP Address: 192.168.247.10 Domain of Active Directory: safesquid.net Base Dn : dc=safesquid,dc=net User Name: cn=admin,dc=safesquid,dc=net See more about Integrate LDAP ...