Hi Manoj,
The only way I see this can work is to use my experimental local proxy to
support application which don't support Negotiate authentication. You can
find it here
http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/
c:\> client_kerb_auth_sspi.exe -S -s <proxy-fqdn> -d -l evtlog (It will
run the client as a Servuce under the machine account.)
It will start a local proxy listening on port 8080 and when connecting to
the proxy (on port 3128) it will add Negotiate with the machine ID.
A squid log entry woul look like:
2010/10/03 14:35:45| squid_kerb_auth: Decode
'YIIEqgYJKoZIhvcSAQICAQBuggSZMIIElaADAgEFoQMCAQ6iBwMFAAAAAACjggO/YYI......CY481Crtw+7+9ClxAeVjhI919w=='
(decoded length: 1198).
2010/10/03 14:35:45| squid_kerb_auth: AF AA== WINXP$@WIN2003R2.HOME
The id WINXP$@WIN2003R2.HOME can be fed into squid_kerb_ldap like it is a
user. ( WINXP$ is the samaccountname of the machine in AD)
Regards
Markus
"Manoj Rajkarnikar" <manoj.rajkarnikar@xxxxxxxxx> wrote in message
news:AANLkTi=1JZ9PahW3PpD9L_KkccmxGwy8SQywy5J4eBCK@xxxxxxxxxxxxxxxxx
Does any of the authentication methods include the computer name in
the authentication tokens?? I can setup any auth method if any of it
supports it. I basically want to authenticate client computers by the
hostname as registered in the AD.
Thanks everyone.
On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar
<manoj.rajkarnikar@xxxxxxxxx> wrote:
Hi Matus.
On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas
<uhlar@xxxxxxxxxxx> wrote:
On 15.09.10 12:59, Manoj Rajkarnikar wrote:
Thanks for the quick response Marcus.
The reason I need to limit computer account and not user account is
that people here move out to distant branches and the internet access
policy is to allow to the position they hold, and thus the computer
they will use.
I somehow don't understand this. Maybe it's my english.
Do you need to control access for the user+computer combination?
I need to control access based on computer account as registered in
the AD server.
I've successfully setup the kerberos authentication but I don't see
how squid will fetch the computer information from client request and
authorize it based on the group membership in AD. What I wish to
accomplish is:
1. create a security group in AD
2. add computer accounts to this security group
3. squid checks if the computer trying to access internet is member of
this security group.
4. if not, don't allow access to internet or request of AD user login
that is allowed.
This seems that you want to allow access from some computers to the net,
no
matter which user is logged in. Why not use ip-based or maybe
hardware_address-based authentication then?
That is correct.
We have dhcp all over our network so ip-based is a bad idea.
For hardware_address-based auth, will have to maintain a very large
list of hardware addresses.. not a good idea but considerable (if
computer account based auth don't work)..
Also to be noted that computer account based authentication would be
more secure as only a handful of admins have domain administrator
level access, so it will be hard to spoof.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
