Author Topic: http-proxy SSO (single sign on) zentyal 3.0 - problem  (Read 22678 times)

thorsten

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #75 on: July 09, 2013, 11:22:06 pm »
Please find the image file attached, as written before I tried both, ebb-s01.ebbinghaus.dyndns.org and Ebb-S01.ebbinghaus.dyndns.org. It does work without SSO - the browser asks me for user / password in this case. If I switch SSO on, I just get the Access Denied page generated by Zentyal proxy.

SORRY: Screenshot is just visible if logged in this ...

THX
Thorsten
« Last Edit: July 10, 2013, 12:00:03 pm by thorsten »

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #76 on: July 10, 2013, 01:19:20 pm »
Hello :

Perhaps you could try regenerating your squid keytab. You'll find several resources in the network on how to do this.

thorsten

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #77 on: July 11, 2013, 10:01:52 am »
As I do not dare to do this - I give up.

halban

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +1/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #78 on: July 21, 2013, 05:15:25 am »
Hello guys.
I'm new in this world, in fact, i'm new in the open sourse world. I work in a healthcare center in Venezuela. We used to have a Fortinet device to do all the firewall, UTM jobs. Because of the bad economic situation in my country, the Fortinet license was too expensive and then we took the desition to migrate to a less expensive solution, so we choosed Zentyal. We get there after knowing a Linux expert who helped us to install a VoIP solution (Asterisk + Elastic). He heard about our Firewall problem, and he proposed us the Zentyal solution. When we started the installation process, everything were good, but we got this SSO problem. This problem affected us through 3 days, we were surfing the internet looking for solution but we didn't found any.

Today, i'm glad to tell you that this problem was solved, now i'm going to put the translation of the post that our Linux expert wrote in the Zentyal spanish forum:

"Here's the solution that i found for this problem, it seems that it only happens with Windows Server 2008 R2, i hope that this solves somebody else's problem and that the Zentyal development team take it for future versions, what i did was modify the /etc/kr5bs.conf file, the original Zentyal file is this:

[libdefaults]
    default_realm = [DOMAIN NAME]
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[kadmin]
    default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt

I modified it in this way:

[libdefaults]
        default_realm = [DOMAIN NAME]
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid3/HTTP.keytab
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
     
[realms]
        [DOMAIN NAME] = {
                kdc = [windows_dc_name.domain_name]
                kdc = [zentyal_server_name]
                admin_server = [windows_dc_name.domain_name]
                default_domain = [domain_name]
        }
[domain_realm]
        .example.local = [DOMAIN NAME]
        example.local = [DOMAIN NAME]

Hope this works for you."

If this works for you, please replied it through all the forum posts related to this problem. Our Linux expert who helped us to install Zentyal and who found this problem solution is known as hgeorge123 in the spanish Zentyal community, his name is George. The original spanish post is this: http://forum.zentyal.org/index.php/topic,16813.0.html?PHPSESSID=enn40hnnuurksaf04066ma2ch7

Thanks.

jiAmnesiAc

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #79 on: July 29, 2013, 05:11:17 pm »
After, what seemed about, 100+ attempts to get SSO to work I found the setup sequence that seems to work. I thought I would share. I have gotten this to work with both 3.0.22 and 3.1-1 Beta in an AD 2003 environment.
  • Install Zentyal
  • During setup/component selection install only the Network objects (configuration).
  • Configure network settings & start networking module - Interfaces, gateways, etc. Test to ensure you can reach the outside world (if you’re not using Zentyal as a gateway).
  • Update components & system - It worked without updating as well.
  • Install File Sharing & Domain Services including dependents.
  • Configure File Sharing & Start (including depends) - Ensure that users and groups sync. I let it sit for about an hour. I also checked my PDC (AD Sites & Services and System/Event logs) to make sure the replication settings were created and working properly.
  • At this point the Network, DNS, Events, Logs, NTP, Users and Groups and File Sharing modules were setup and running correctly.
  • Install the HTTP Proxy (Cache and Filter) – do not start it yet.
  • Setup a test filter with some Domains and URLs to allow/block and save. I’m using Zentyal to block all domains (for non-manager employees) except those on a whitelist so I added one safe URL to the list to test.
  • Assign that test filter to an AD group using Access Rules and save.
  • Configure the Proxy general settings to enable SSO (Kerberos) save and start the proxy module.
  • Sign on to a Windows client and configure IE to point to the new proxy using its hostname (e.g.  zenserv) – The Zentyal documentation states that SSO will not function if you point to the IP address. If the client was already started, reboot.
  • Test – you should be able to start IE and reach the site on the safe/white list and everything else should be blocked. If you see a logon prompt when IE starts it more than likely did not work.
Hope that helps someone. Good luck!

MaverickZA

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #80 on: September 19, 2013, 04:24:41 pm »
Hi,

Has anyone managed to find a solution to this? I am having the same issue as the others, "Cache access denied" when using SSO, disable SSO and it works fine. I am running a pure Samba4/Zentyal3 domain with Win7 and XP workstations.

I unfortunately cannot go through the process of reinistalling and following the steps as per the user above's suggestions as this is a live system.

Also, the solution mentioned by halban does not work either.

Any assistance would be appreciated.

BrettonWoods

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #81 on: September 25, 2013, 09:40:33 pm »
Hi,

Has anyone managed to find a solution to this? I am having the same issue as the others, "Cache access denied" when using SSO, disable SSO and it works fine. I am running a pure Samba4/Zentyal3 domain with Win7 and XP workstations.

I unfortunately cannot go through the process of reinistalling and following the steps as per the user above's suggestions as this is a live system.

Also, the solution mentioned by halban does not work either.

Any assistance would be appreciated.

Did SSO work with 3 ?

valshare

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #82 on: September 11, 2014, 11:43:09 am »
Hello,

i have had many trouble with proxy and sso. I have installed zentyal with the latest updates. I am on version 3.5.3. I have solved the problems to use sso.

If i create users with the Microsoft tool "Active Directory User and Computer" i never get the user worked with sso on the proxy.

So i have created the user overs the Web-Interface of zentyal but it didn´t worked with sso, too.
Now i have switched in the http-proxy settings i disabled the sso function, apply all changes and save it. Now wait that all modules are reconfigured. Now i switched enbled the sso function, apply and save the changes and wait again that all modules are reconfigured. Now the sso works for the user.

Can anyone confirm that is a bug?

Regards, Valle

valshare

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #83 on: September 18, 2014, 10:38:06 am »
Can anyone confirm that is a bug?

no one??

dhalabi

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #84 on: September 23, 2014, 11:45:39 am »
Yes, I have saved the same probblem but I don't know the casue and solution, did you fixed it ?

valshare

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #85 on: September 23, 2014, 12:00:39 pm »
Yes, I have saved the same probblem but I don't know the casue and solution, did you fixed it ?

Hi dhalabi,

die you try the way in Post #82? First create the user over the zentyal GUI and the disable and enable the sso option in the proxy.