Keep getting "Access denied - authentication required"
Evaluating ClearOS v7 appliance in vmware 6.0 environment.
COS in Gateway mode with modules:
Content Filter Engine 2.3.0-1,
Web Access Control 2.1.6-1
Web Proxy Server 2.3.4-1
Active Directory Connector 2.2.1-1
against AD DCs on 2012R2 server
Joined AD perfectly fine.
Successfully imported Users and Groups.
Trying to follow the setup guide for Web Proxy as best I can. It doesn't seem to be AD oriented...
Added "test" app policy for the "is_dept" group with nothing in it.
Added Access Control List working hours allowed
Web Proxy Server configured for Non-Transparent mode with User Authentication + NTLM
Also tested the other Authentication methods, none work!
Under System->Accounts->Users (mike), there is a header "App Policies" with the value "Web Proxy User: Disabled".
Seems relevant, but I can't find a place to enable it.
I would like to be able to do 2 things: filter sites like Facebook and content like Porn. And have the user's browser automatically authenticate (without popup). Our current Squid was carefully configured to do this but it was a pain.
Evaluating ClearOS v7 appliance in vmware 6.0 environment.
COS in Gateway mode with modules:
Content Filter Engine 2.3.0-1,
Web Access Control 2.1.6-1
Web Proxy Server 2.3.4-1
Active Directory Connector 2.2.1-1
against AD DCs on 2012R2 server
Joined AD perfectly fine.
Successfully imported Users and Groups.
Trying to follow the setup guide for Web Proxy as best I can. It doesn't seem to be AD oriented...
Added "test" app policy for the "is_dept" group with nothing in it.
Added Access Control List working hours allowed
Web Proxy Server configured for Non-Transparent mode with User Authentication + NTLM
Also tested the other Authentication methods, none work!
Under System->Accounts->Users (mike), there is a header "App Policies" with the value "Web Proxy User: Disabled".
Seems relevant, but I can't find a place to enable it.
I would like to be able to do 2 things: filter sites like Facebook and content like Porn. And have the user's browser automatically authenticate (without popup). Our current Squid was carefully configured to do this but it was a pain.
Share this post:
Responses (9)
-
Accepted Answer
Hi Mike, welcome to the forum. As a new user your first couple of posts need moderator approval so don't appear immediately. This unfortunately means many new users repeat their posts when they don't see them. I'm deleting your duplicate post just to tidy things up.
Can I ask if you've switched your browser to the proxy port 8080?
There are a couple of potentially useful links here and here.
Unfortunately, I don't use the proxy or AD so I can't advise much, but I am a little surprised that you cannot enable the User policy entry but (guessing) that may be to do with the NTLM setting.
Can I ask if, in the Windows Networking (Samba) config you enabled "Windows 10 Domain Logons"? This is key to getting NTLM to work in Win10. -
Accepted Answer
Hi Nick,
Thanks for the dup cleanup help. The popup message that lets you know posts need moderator approval disappeared so quickly the first time, I didn't see it. I wonder if that could be set to stay on, it would be a big help with dups.
I didn't have Windows Networking Samba plugin installed, only Active Directory Connector. I added that, and it had Windows 10 Domain Logons enabled by default.
The Web Proxy User setting under App Policies of my user still shows disabled. My client test still gets denied / authentication required. I should add my client is Windows 7, Chrome 64.0.3282.186 32-bit -
Accepted Answer
-
Accepted Answer
Windows Networking (Samba) is needed for NTLM authentication. From your comment, it looks like you have now initialized it. Is that correct?
Is your browser configured to use the proxy on port 8080?
[edit]
Posts crossed.
I have little troubleshooting experience here. I'll have to give it a go sometime.
[/edit] -
Accepted Answer
When I checked the Windows Networking Samba plugin, I see its status is Stopped. It will not stay Running for more than a second. Just poking thru the available Log files, I see something looks important (but maybe not related to samba):
squid/cache.log:
Winbindd lookupname failed to resolve AD+web_proxy_plugin into a SID!
GENSEC login failed: NT_STATUS_INVALID_PARAMETER -
Accepted Answer
All I can do now is work my way through any docs. From the first link I gave you, have you checked the AD Connector? Also have you checked that your users are members of the web_proxy_plugin group? -
Accepted Answer
Hi Nick,
Yes, I started with those docs when I first set the system up--I didn't see anything in them helped in this scenario. BUT!!
I dug around in the weeds and in the /etc/squid/squid_auth.conf file:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD+web_proxy_plugin
it does seem to require membership in a group called web_proxy_plugin. I never saw this in the docs.
Just to tinker, I changed the group to one already in my AD and found it worked--with no authentication popup. Good news!
I changed it back, created a web_proxy_plugin group to AD, added myself and voila it still works. So I think I'm back in business here...
I guess the docs need to be updated, or did I just miss it? -
Accepted Answer
-
Accepted Answer
Ah, so I did overlook it in docs. Thanks for the heads-up.
I don't know whether the group existed in Cos before I made one in AD. I prefer to manage it in AD anyway. The only place I see web_proxy_plugin is under Web Proxy Server, Global Policy group name. View Members doesn't seem to sync visually, as I cleared the AD group out and the users showed up. But I embedded our department group in the AD group and my tester is still working after stopping and restarting. Light at the end of the tunnel...
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »