<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New",serif;
color:#464646;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:#464646;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:#464646;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:459612849;
mso-list-type:hybrid;
mso-list-template-ids:1073793258 557760372 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Arial;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New",serif;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New",serif;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New",serif;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='color:windowtext'>Hey David,<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>The general name of this concept is SSO service.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>It can have single or multiple backends.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>The main question is how to implement the solution in the optimal way possible.<br>(taking into account money, coding complexity and other humane parts)<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>You will need to authenticate the client against the main AUTH service.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>There is a definitive way or statistical way to implement this solution.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>With AD or Kerberos it’s possible to implement the solution in such a way that windows will<br>“transparently” authenticate to the proxy service.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>However you must understand that all of this requires an infrastructure that will provide every piece of the setup.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>If your setup doesn’t contains RDP like servers then it’s possible that you can authenticate a user with an IP compared<br>to pinning every connection to a specific user.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Also, the “cost” of non-transparent authentication is that the user will be required to enter (manually or automatically) <br>the username and the password.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>An HotSpot like setup is called “Captive Portal” and it’s a very simple setup to implement with active directory.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>It’s also possible to implement a transparent authentication for such a setup based on session tokens.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>You actually don’t need to create a “fake” helper for such a setup but you can create one that is based on Linux.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>It’s an “Advanced” topic but if you do ask me it’s possible that you can take this in steps.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>The first step would be to use a session helper that will authenticate the user and will identify the user<br>based on it’s IP address.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>If it’s a wireless setup you can use a radius based authentication ( can also be implemented on a wired setup).<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Once you will authenticate the client transparently or in another way you can limit the usage of the username to<br>a specific client and with that comes a guaranteed situation that a username will not be used from two sources.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>I don’t know about your experience but the usage of a captive portal is very common In such situations.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>The other option is to create an agent in the client side that will identify the user against the proxy/auth service<br>and it will create a situation which an authorization will be acquired based on some degree of authentication.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>In most SSO environments it’s possible that per request/domain/other there is a transparent validation.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>In all the above scenarios which requires authentication the right way to do it would be to use the proxy as<br>a configured proxy compared to transparent.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>I believe that one thing to consider is that once you authenticate against a RADIUS service you would just<br>minimize the user interaction.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>The main point from what I understand is to actually minimize the authentication steps of the client.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>My suggestion for you is to first try and asses the complexity of a session helper, raidus and captive portal.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>These are steps that you will need to do in order to asses the necessity of transparent SSO.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Also take your time to compare how a captive portal is configured in the next general products:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l0 level1 lfo1'>Palo Alto<o:p></o:p></li><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l0 level1 lfo1'>FortiGate<o:p></o:p></li><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l0 level1 lfo1'>Untangle<o:p></o:p></li><li class=MsoListParagraph style='color:windowtext;margin-left:0in;mso-list:l0 level1 lfo1'>Others<o:p></o:p></li></ul><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>From the documentation you would see the different ways and “grades” that they implement the solutions.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Once you know what the market offers and their equivalent costs you will probably understand what<br>you want and what you can afford to invest in the development process of each part of setup.<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>All The Bests,<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Eliezer<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='color:windowtext'>----<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Eliezer Croitoru<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>NgTech, Tech Support<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Mobile: +972-5-28704261<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Email: <a href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='color:windowtext'>From:</span></b><span style='color:windowtext'> squid-users <squid-users-bounces@lists.squid-cache.org> <b>On Behalf Of </b>David Touzeau<br><b>Sent:</b> Friday, February 11, 2022 17:03<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> Re: [squid-users] Squid plugin sponsor<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Arial",sans-serif'>Hello<br><br>Thank you but this is not the objective and this is the reason for needing the "fake".<br>Access to Kerberos or NTLM ports of the AD, is not possible. An LDAP server would be present with accounts replication.<br>The idea is to do a silent authentication without joining the AD <br>We did not need the double user/password credential, only the user sent by the browser is required<br><br>If the user has an Active Directory session then his account is automatically sent without him having to take any action.<br>If the user is in a workgroup then the account sent will not be in the LDAP database and will be rejected.<br>I don't need to argue about the security value of this method. It saves us from setting up a gas factory to make a kind of HotSpot</span><o:p></o:p></p><div><p class=MsoNormal>Le 11/02/2022 à 05:55, Dieter Bloms a écrit :<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hello David,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>for me it looks like you want to use kerberos authentication.<o:p></o:p></pre><pre>With kerberos authentication the user don't have to authenticate against<o:p></o:p></pre><pre>the proxy. The authentication is done in the background.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Mayb this link will help:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On Thu, Feb 10, David Touzeau wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>What we are looking for is to retrieve a "user" token without having to ask<o:p></o:p></pre><pre>anything from the user.<o:p></o:p></pre><pre>That's why we're looking at Active Directory credentials.<o:p></o:p></pre><pre>Once the user account is retrieved, a helper would be in charge of checking<o:p></o:p></pre><pre>if the user exists in the LDAP database.<o:p></o:p></pre><pre>This is to avoid any connection to an Active Directory<o:p></o:p></pre><pre>Maybe this is impossible<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Le 10/02/2022 à 05:03, Amos Jeffries a écrit :<o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>On 10/02/22 01:43, David Touzeau wrote:<o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I would like to sponsor the improvement of ntlm_fake_auth to support<o:p></o:p></pre><pre>new protocols<o:p></o:p></pre></blockquote><pre><o:p> </o:p></pre><pre>ntlm_* helpers are specific to NTLM authentication. All LanManager (LM)<o:p></o:p></pre><pre>protocols should already be supported as well as currently possible.<o:p></o:p></pre><pre>NTLM is formally discontinued by MS and *very* inefficient.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>NP: NTLMv2 with encryption does not *work* because that encryption step<o:p></o:p></pre><pre>requires secret keys the proxy is not able to know.<o:p></o:p></pre><pre><o:p> </o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>or go further produce a new negotiate_kerberos_auth_fake<o:p></o:p></pre><pre><o:p> </o:p></pre></blockquote><pre><o:p> </o:p></pre><pre>With current Squid this helper only needs to produce an "OK" response<o:p></o:p></pre><pre>regardless of the input. The basic_auth_fake does that.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Amos<o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>squid-users mailing list<o:p></o:p></pre><pre><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><o:p></o:p></pre><pre><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre></blockquote></blockquote><pre><o:p> </o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>_______________________________________________<o:p></o:p></pre><pre>squid-users mailing list<o:p></o:p></pre><pre><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><o:p></o:p></pre><pre><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></pre></blockquote><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre></blockquote><p class=MsoNormal><o:p> </o:p></p></div></body></html>