Thanks Markus.. That sounds like a very useful tool for me.. I will get back to you once I've tested it.. Thanks alot .. Manoj On Thu, Oct 7, 2010 at 1:23 AM, Nyamul Hassan <mnhassan@xxxxxxx> wrote: > On Sun, Oct 3, 2010 at 19:46, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >> Hi Manoj, >> >> >> The only way I see this can work is to use my experimental local proxy to >> support application which don't support Negotiate authentication. You can >> find it here >> http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/ >> >> c:\> client_kerb_auth_sspi.exe -S -s <proxy-fqdn> -d -l evtlog (It will >> run the client as a Servuce under the machine account.) >> >> It will start a local proxy listening on port 8080 and when connecting to >> the proxy (on port 3128) it will add Negotiate with the machine ID. >> >> A squid log entry woul look like: >> >> 2010/10/03 14:35:45| squid_kerb_auth: Decode >> 'YIIEqgYJKoZIhvcSAQICAQBuggSZMIIElaADAgEFoQMCAQ6iBwMFAAAAAACjggO/YYI......CY481Crtw+7+9ClxAeVjhI919w==' >> (decoded length: 1198). >> 2010/10/03 14:35:45| squid_kerb_auth: AF AA== WINXP$@WIN2003R2.HOME >> >> The id WINXP$@WIN2003R2.HOME can be fed into squid_kerb_ldap like it is a >> user. ( WINXP$ is the samaccountname of the machine in AD) >> >> Regards >> Markus >> >> "Manoj Rajkarnikar" <manoj.rajkarnikar@xxxxxxxxx> wrote in message >> news:AANLkTi=1JZ9PahW3PpD9L_KkccmxGwy8SQywy5J4eBCK@xxxxxxxxxxxxxxxxx >> Does any of the authentication methods include the computer name in >> the authentication tokens?? I can setup any auth method if any of it >> supports it. I basically want to authenticate client computers by the >> hostname as registered in the AD. >> >> Thanks everyone. >> >> On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar >> <manoj.rajkarnikar@xxxxxxxxx> wrote: >>> >>> Hi Matus. >>> >>> On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas >>> <uhlar@xxxxxxxxxxx> wrote: >>>> >>>> On 15.09.10 12:59, Manoj Rajkarnikar wrote: >>>>> >>>>> Thanks for the quick response Marcus. >>>>> >>>>> The reason I need to limit computer account and not user account is >>>>> that people here move out to distant branches and the internet access >>>>> policy is to allow to the position they hold, and thus the computer >>>>> they will use. >>>> >>>> I somehow don't understand this. Maybe it's my english. >>>> Do you need to control access for the user+computer combination? >>> >>> I need to control access based on computer account as registered in >>> the AD server. >>> >>>> >>>>> I've successfully setup the kerberos authentication but I don't see >>>>> how squid will fetch the computer information from client request and >>>>> authorize it based on the group membership in AD. What I wish to >>>>> accomplish is: >>>>> >>>>> 1. create a security group in AD >>>>> 2. add computer accounts to this security group >>>>> 3. squid checks if the computer trying to access internet is member of >>>>> this security group. >>>>> 4. if not, don't allow access to internet or request of AD user login >>>>> that is allowed. >>>> >>>> This seems that you want to allow access from some computers to the net, >>>> no >>>> matter which user is logged in. Why not use ip-based or maybe >>>> hardware_address-based authentication then? >>> >>> That is correct. >>> We have dhcp all over our network so ip-based is a bad idea. >>> For hardware_address-based auth, will have to maintain a very large >>> list of hardware addresses.. not a good idea but considerable (if >>> computer account based auth don't work).. >>> >>> Also to be noted that computer account based authentication would be >>> more secure as only a handful of admins have domain administrator >>> level access, so it will be hard to spoof. >>> > > I still think Matus's idea of using IP based is the best and simplest > approach. Even if you have DHCP enabled, you can always force a > certain computer to a certain IP. > > Regards > HASSAN >
