Kerberos SSO Authentication Setup

Kerberos SSO Authentication Setup

The main aim/objective of this particular authentication is that the user doesn’t have to enter its credentials the software will automatically detect from which user group does the user belong and will set the restrictions accordingly. 

Overview

After installation of Windows Server and integrating AD with SafeSquid we need to configure the DNS settings in Windows Server. This document will give you the step-by-step instructions on how to configure DNS. After completing this we need to add the same credentials we used while setting up our DNS, into the Browser. Then we will be able to view the user group that we have created, in Developer Tools section in our Browser.

Prerequisite

Microsoft Windows server need to be installed and running on any of the machine. Steps to install Windows Server: Get started with Windows Server 2019 | Microsoft Docs
Microsoft AD needs to be integrated with the SafeSquid for the SSO authentication: Link to do it: https://help.safesquid.com/portal/en/kb/articles/integrate-active-directory-for-sso-authentication.

Client Scenario

Since we want to use FQDN proxy server and not the IP Address format we need to create a new host and assign a required domain name. For this we will go to the AD which we created named 'mann-ad.safesquid.' Create New host and stet its name as 'sabproxy'. In the FQDN we will enter 'sabproxy.mann-ad.safesquid' and IP address as '192.168.56.101'. Now go to the Browser Settings, select Manual Proxy Configuration. Here we will enter HTTPS proxy as sabproxy.mann-ad.safesquid. Now we would be able to see all the created users in Network Tab in Developer Tools.

Procedure

Step 1: Configure the DNS settings:

If you want to achieve this then you will not be using the <IP address>: <port> format. We will be using the FQDN of the proxy server. In order to setup the DNS for the FQDN follow the following steps.
  1. Open the Server Manager in the Windows Server and click on tools in the top right corner of the Menu.
Select Tools option in sever manager to configure the DNS settings for Kerberos SSO Authentication Setup
  1. Now select the DNS option.
Select DNS to configure the DNS settings for Kerberos SSO Authentication Setup
A window like this will appear.
Click on Forward Lookup Zones Kerberos SSO Authentication Setup
  1. Click on Forward Lookup Zones.
Select Forward lookup option for  Kerberos SSO Authentication Setup
  1. Select the AD which you created or Integrated with the safesquid in my case it is mann-ad.safequid.
Select Active Directory Kerberos SSO Authentication Setup
  1. Right click on it and select New Host (A or AAAA).
Add New Host by selecting New Host option for Kerberos SSO Authentication Setup
  1. Now this is the most important step. For this step you need to know your domain name. To find it use hostname -f command in the safesquid machine. You will find your domain name over here. So, domain name in my case is sabproxy.
Add Domain name by selecting New Host option for Kerberos SSO Authentication Setup
  1. Enter the following credentials in the fields. Note: The IP address should be the IP of the SafeSquid machine.
Enter Domain name, FQDN, IP address   to add host for Kerberos SSO Authentication Setup
  1. Click on Add Host. It will add the DNS host.
verify Host 

Step 2: Configuring Settings in the Browser

  1. Now in order to use the proxy open the web browser and go to settings and search for proxy settings.
  2. Select the manual configuration option. Enter the FQDN which you just created in the step no 7 in the Proxy field and enter 8080 as the port number.
Configuring Settings in the Browser to apply manual proxy configuration  ​​​​​​
  1. Click on Okay and restart the browser.

Output

  1. Now go to any website and right click on it and select on inspect element.
Verify Configuring Settings in the network setting of  Browser to apply manual proxy configuration
  1. Select the network option from the navigation menu.
Verify Configuring Settings in the network setting of  Browser to apply manual proxy configuration
  1. Reload the page and select any field.
Check User Group in the network setting of  Browser to apply manual proxy configuration
  1. You will see the usergroup which you have created.
Confirmation of  User Group in the network setting of  Browser to apply manual proxy configuration

    • Related Articles

    • Testing your Kerberos SSO authentication setup

      Configure Authentication in SafeSquid’s Access Restrictions SafeSquid’s WebGUI is used to create/modify policy configuration. We can access the WebGUI from any authorized system, depending on Access Restrictions configuration section (by default ALL ...
    • Setup Authentication

      Authentication in SafeSquid Proxy Authentication: Proxies can serve as access-control devices. HTTP defines a mechanism called proxy authentication that blocks requests for content until the user provides valid access-permission credentials to the ...
    • Integrate a Linux Host with a Windows AD for Kerberos SSO authentication

      Overview Kerberos Authentication support is particularly useful for Enterprise networks that have a Microsoft AD based Domain controller. By properly configuring the necessary Kerberos related factors, your enterprise Internet users can optionally ...
    • Integrate Active Directory For SSO Authentication

      Overview In given example we are integrating an Active Directory for SSO authentication. Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name)) ...
    • Setup HTTPS Inspection

      Overview Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards HTTPS, to deliver secure services to users. “The main motivation for HTTPS is authentication of the visited website and ...