If your configuration is exactly similar to How to and still your SSO authentication is failed
1.Make sure User Name: administrator@safesquid.test (User name should be any user from AD having administrative permissions)
2.Monit service must be Up. Verify it using command:
- root@sabproxy:~# pidof monit
- 19940
3.As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH
kerberos.sh* script will automatically run from path /usr/local/safesquid/ui_root/cgi-bin
3.1. Verify below files at path:/usr/local/safesquid/security
HTTP.keytab
krb5.conf
krb.tkt
3.2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.
The file with stub zone will create with the name: safesquid.dns.conf
At path :/usr/local/safesquid/security/dns
- Run command: cat safesquid.dns.conf
|
|
|
|
masters {192.168.221.1;};
|
|
|
Also, it will automatically copy at given path:/etc/bind/
- Run command: cat safesquid.dns.conf
|
|
|
|
masters {192.168.221.1;};
|
|
|
(Note: Monit service must be up)
If any one of above entry missing you have to repeat all the steps again.
First remove all the given files from above given path.
Start monit service and repeat all the steps and capture logs
- 'Command: 'tail -F /var/log/safesquid/native/safesquid.log
4.Go to Access Restriction > GLOBAL >> SSO: TRUE
5.ALLOW List: Policy with PAM: TRUE
6.Testing SSO Auth
6.1. Go to Windows machine which join in domain of AD e.g windows7.safesquid.test
6.2. Go to browser and set PROXY as: FQDN of proxy server (sabproxy.safesquid.test)
6.3. Access any website (Authentication prompt should not come)
6.4. Open extended logs
- Command: tail -F /var/log/safesquid/extended/extended.log
find <username>@<SAFESQUID.TEST>@ 192.168.221.212 (IP addrees of Window machine which is in domain)