SSO Authentication Fail

Troubleshooting

If your configuration is exactly similar to How to and still your SSO authentication failed.

1. Make sure the User Name: administrator@safesquid.test (The user name should be any user from AD having administrative permissions)

2. Monit service must be Up. Verify it using the command:

1. root@sabproxy:~# pidof monit
2. 19940

3. As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH 

kerberos.sh* script will automatically run from path /usr/local/safesquid/ui_root/cgi-bin

3.1. Verify below files at path:/usr/local/safesquid/security

HTTP.keytab

krb5.conf

krb.tkt

3.2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.

The file with stub zone will create with the name: safesquid.dns.conf

At path :/usr/local/safesquid/security/dns

1. Run command:  cat safesquid.dns.conf
   

zone safesquid.test {

type stub;

masters {192.168.221.1;};

};

Also, it will automatically copy at given path:/etc/bind/

1. Run command:  cat safesquid.dns.conf

zone safesquid.test {

type stub;

masters {192.168.221.1;};

};

Note: Monit service must be up

If any one of the above entry missing you have to repeat all the steps.

First, remove all the given files from the above path.

Start monit service repeat all the steps and capture logs

1. 'Command: 'tail -F /var/log/safesquid/native/safesquid.log
   

4. Go to Access Restriction > GLOBAL >> SSO: TRUE

5. ALLOW List: Policy with PAM: TRUE

6. Testing SSO Auth

6.1. Go to the Windows machine which joins in the domain of AD e.g. windows7.safesquid.test

6.2. Go to the browser and set PROXY as: FQDN of the proxy server (sabproxy.safesquid.test)

6.3. Access any website (Authentication prompt should not come)

6.4. Open extended logs

1. Command: tail -F /var/log/safesquid/extended/extended.log

Find <username>@<SAFESQUID.TEST>@ 192.168.221.212 (IP address of Window machine which is in the domain)

• Related Articles

• Authentication is not working

  Issues If your LDAP configuration is improper, you should face an authentication issue. If your username or password is wrong, you should face an authentication issue. In the case of SSO authentication, if your access policies under the access ...

• Application not working with Authentication

  Issues Certain applications (like Dropbox®) do not work with authentication. Root Cause Certain applications (like Dropbox®) which do not support proxy authentication, want to bypass authentication for that application. Solution Follow the link to ...

• SSL Certification Errors

  Issues with their Root Cause When the SSL certificate is imported into the Chrome browser and still shows Your connection is not secured for HTTPS sites. ->Policies in the HTTPS Inspection subsection may not be configured correctly. While the ...

• Interface Access Blocked- Access Denied

  Issue You may get locked out yourselves whenever you are trying to create policies in the Access Restrictions section of SafeSquid. You suddenly get messages as Access Denied on the browser. Root Cause SafeSquid actually evaluates entries in the ...

• LDAP Entries Not Fetched

  Issue I configured LDAP with Active Directory, but still, LDAP entries are not fetched. Root Cause Case 1: You should not properly configure LDAP with Active Directory. Case 2: You are not able to contact AD (Active Directory). Verify it from ...