On Sun, Oct 3, 2010 at 19:46, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Manoj, > > > The only way I see this can work Âis to use my experimental local proxy to > support application which don't support Negotiate authentication. You can > find it here > http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/ > > c:\> client_kerb_auth_sspi.exe -S -s <proxy-fqdn> -d -l evtlog  (It will > run the client as a Servuce under the machine account.) > > It will start a local proxy listening on port 8080 and when connecting to > the proxy (on port 3128) it will add Negotiate with the machine ID. > > A squid log entry woul look like: > > 2010/10/03 14:35:45| squid_kerb_auth: Decode > 'YIIEqgYJKoZIhvcSAQICAQBuggSZMIIElaADAgEFoQMCAQ6iBwMFAAAAAACjggO/YYI......CY481Crtw+7+9ClxAeVjhI919w==' > (decoded length: 1198). > 2010/10/03 14:35:45| squid_kerb_auth: AF AA== WINXP$@WIN2003R2.HOME > > The id WINXP$@WIN2003R2.HOME can be fed into squid_kerb_ldap like it is a > user. ( WINXP$ is the samaccountname of the machine in AD) > > Regards > Markus > > "Manoj Rajkarnikar" <manoj.rajkarnikar@xxxxxxxxx> wrote in message > news:AANLkTi=1JZ9PahW3PpD9L_KkccmxGwy8SQywy5J4eBCK@xxxxxxxxxxxxxxxxx > Does any of the authentication methods include the computer name in > the authentication tokens?? I can setup any auth method if any of it > supports it. I basically want to authenticate client computers by the > hostname as registered in the AD. > > Thanks everyone. > > On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar > <manoj.rajkarnikar@xxxxxxxxx> wrote: >> >> Hi Matus. >> >> On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas >> <uhlar@xxxxxxxxxxx> wrote: >>> >>> On 15.09.10 12:59, Manoj Rajkarnikar wrote: >>>> >>>> Thanks for the quick response Marcus. >>>> >>>> The reason I need to limit computer account and not user account is >>>> that people here move out to distant branches and the internet access >>>> policy is to allow to the position they hold, and thus the computer >>>> they will use. >>> >>> I somehow don't understand this. Maybe it's my english. >>> Do you need to control access for the user+computer combination? >> >> I need to control access based on computer account as registered in >> the AD server. >> >>> >>>> I've successfully setup the kerberos authentication but I don't see >>>> how squid will fetch the computer information from client request and >>>> authorize it based on the group membership in AD. What I wish to >>>> accomplish is: >>>> >>>> 1. create a security group in AD >>>> 2. add computer accounts to this security group >>>> 3. squid checks if the computer trying to access internet is member of >>>> this security group. >>>> 4. if not, don't allow access to internet or request of AD user login >>>> that is allowed. >>> >>> This seems that you want to allow access from some computers to the net, >>> no >>> matter which user is logged in. Why not use ip-based or maybe >>> hardware_address-based authentication then? >> >> That is correct. >> We have dhcp all over our network so ip-based is a bad idea. >> For hardware_address-based auth, will have to maintain a very large >> list of hardware addresses.. not a good idea but considerable (if >> computer account based auth don't work).. >> >> Also to be noted that computer account based authentication would be >> more secure as only a handful of admins have domain administrator >> level access, so it will be hard to spoof. >> I still think Matus's idea of using IP based is the best and simplest approach. Even if you have DHCP enabled, you can always force a certain computer to a certain IP. Regards HASSAN
