Authenticating with Active Directory (Kerberos 5)

Home Page Forums Network Management ZeroShell Authenticating with Active Directory (Kerberos 5)

This topic contains 12 replies, has 0 voices, and was last updated by  Robert 4 years, 2 months ago.

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #40758

    Robert
    Member

    Hi

    Ripping my hair out here.

    Has anyone managed to get Zeroshell to authenticate with their Active Directory domain, that could give me some pointers. We have hundreds of users and I want them to be able to use their AD account to let them through the zeroshell portal.

    I have set up the trust between Zeroshell and the AD Domain, that seems to be fine.

    Im not quite sure of the next bit – the Kerberos Priciple – do I create a new account in AD that matches one from the Zeroshell Realm ?

    ANy help would be really appreciated.

    #45808

    imported_fulvio
    Participant

    The easier way to get work the Captive Portal authenticating the users of a Microsoft Active Directory domain is to add the domain as “External Kerberos 5 Realm”.
    In this manner, you have not to add the shared Kerberos keys to establish the trust relationship.
    In any case, either you configure an “External Kerberos 5 Realm” or a “Trusted Kerberos 5 Realm”, you don’t need to create the user principals in the Zeroshell’s Kerberos KDC.

    Don’t forget that Zeroshell must be able to locate the Active Directory Kerberos 5 KDC. In order to make this possible, you just have to add, in the section [Kerberos 5]->[Realms], the Active Directory realm and the IP or FQDN hostname of at least one of the Active Directory domain controller (any domain controller runs a Kerberos KDC). This step is not needed if the DNS is correctly configured and you have set the option “Use the DNS to discovery Realms and KDC servers not ” to yes in the [Kerberos 5]->[Realms] section. In this case, Zeroshell uses the SRV service locator resource, automatically configured in the Active Directory’s DNS, to get the KDC’s IP address.

    Best Regards
    Fulvio Ricciardi

    #45809

    Robert
    Member

    Thanks for your Help Fulvio

    I got it working. I was actually setting it up right with regards Kerberos, but has a couple of network issues.

    Resolved now and working great.

    Thanks for this software !

    #45810

    zabulus
    Member

    Hi,
    How to add “External Kerberos 5 Realm” from the Zeroshell administration page because by default zeroshell add local authentication.
    thanks in advanced.
    zabulus

    #45811

    imported_fulvio
    Participant

    From the section [Captive Portal]->[Authentication], you should click on the button [+] in the Authorized Domains frame. In the form that appears, type the domain name and select the flag “External Kerberos 5 Realm”. Don’t forget to configure the realm in the section [Kerberos 5]->[Realms] or if you prefer enable the DNS discovery of the Kerberos V realms.

    Regards
    Fulvio

    #45812

    zabulus
    Member

    ok, “solved” the problem.

    Works perfectly thank you!

    #45813

    tcorley
    Member

    Not sure I have much to add here. I administer an AD2000 network and wanted to get the zeroshell to autheticate from Keberos. I created slave zones of the forward and reverse parts of the AD dns servers on the local dns server, and then set the keberos domain. It works rather well, except that it gives everyone with an account on the AD access to the wireless lan, something which at times I don’t want.

    If you have active directeroy, then each server is also a Radius server. With version beta6 you can create a proxy radius server entry under Radius and then use it as a database against which to autheticate your users. The advantage in AD2000 is that you can restrict those with access to your wireless lan by membership of a user group.

    My only problem is that users had been told to login using the username@example.com form of their username, which works fine with Keberos, but not with radius, which prefers username. I switched back to Keberos because a lot of our users were not getting thru using radius. Just a matter of user education…

    I have to say that ZeroShell is a wonderful piece of software, that does what NoCat does in a far more effective way. Support for mac address bypass, and opening preauth ports for those wanting to use our proxy servers has made a major difference, and the takeup on our WLAN has been much better this year. It also supports No-Nat routing, which is quite important for network access, as well as auditing Internet usage.

    #45814

    imported_fulvio
    Participant

    My only problem is that users had been told to login using the username@example.com form of their username, which works fine with Kerberos, but not with radius, which prefers username. I switched back to Kerberos because a lot of our users were not getting thru using radius. Just a matter of user education…

    You can solve in this manner:

    1) When you add the proxy RADIUS domain you should disable the No Strip flag. In this modality the FreeRadius configured in Zeroshell, automatically strips the @domain from the username and sends the request to the IAS of Active Directory.

    2)If you want that the form of the username without @domain also works you have to set your RADIUS domain as Default domain (select it and Press the [D] button).

    Regards
    Fulvio

    #45815

    asylum
    Member

    Hi fulvio,

    i’d tried ZeroShell and play with it for almost 3 months now, my setting was 2 NIC and bridged, behind router, (my intention using Zeroshell was just for wifi clients), and i’m new in this forum 🙂

    my question is, i want all clients to be authenticated through AD before they can use internet, so i’ve been read through this post and tried to follow…but i couldn’t make it work, i was stuck at Kerberos 5 External.

    Could you give me any solution for this?…

    also one more thing, how could i split wifi client for not being access my local resources?.

    Any help would be much appreciated.

    Thank you.

    #45816

    imported_fulvio
    Participant

    Every Microsoft Active Directory domain controller acts as KDC Kerberos 5 for users and services authentication. Therefore you just have to:

    1) Configure Zeroshell to contact al least a domain controller for the authentication by adding the realm kerberos 5 (it’s the same of the AD domain) and the IP of the server in the section [Kerberos 5][Realms]

    2) Add in the [Captive Portal][Authentication] the AD Domain as [Authorized Domains] using external Kerberos 5 KDC

    Notice that the first step is useless if you use DNS KDC auto discovery.
    Also this is easy to get because every domain controller is an authoritative DNS for the AD domain. Hence you just have to add at least a domain controller as DNS Forwarder of Zeroshell (section [DNS][Forwarders]. In the section [Kerberos 5][Realm] put to yes the “Use the DNS to discovery Realms and KDC servers not configured “.

    Regards
    Fulvio Ricciardi

    #45817

    asylum
    Member

    Hi Fulvio,

    Thanks for your response,
    i did tried what you’d told, but i don’t know why is still not “talking” to AD, what i did:
    – Kerberos 5 -> realms -> my domain realm(mydomain.com.au) + KDC my domain IP address.
    – Captive Portal -> Authentication -> Authorized Domain -> MyDomain.com.au

    Those setting doesn’t work, and i even tried to put MyDomain.com.au IP Address in DNS as master zone and forwarder(not sure i did right for this section).

    i did tried to check using DNS Lookup and it does found the server.

    Thank you.

    #45818

    The two types of authentication are Mutual Authentication and NTLM. Mutual Authentication requires both the server and the client to identify them. NTLM only requires the client to be validated by the server.

    Two types of authentication are Mutual Authentication and NTLM Authentication.

    Mutual Authentication

    Mutual Authentication is a security feature in which a client process must prove its identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client-to-server connection. Identity can be proved through a trusted third party and use shared secrets, as in Kerberos v5, or through cryptographic means, as with a public key infrastructure.

    TLM

    NTLM authentication supports three methods of challenge/response authentication:

    LAN Manager (LM)
    This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 or later can connect in share level security mode to file shares on computers running Microsoft Windows for Workgroups, Windows 95, or Windows 98.
    NTLM version 1
    This is more secure than LM challenge/response authentication. It is available so that clients running Windows 2000 or later can connect to servers in a Windows NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier.
    NTLM version 2
    This is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 or later connect to servers in a Windows NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running Windows 2000 or later connect to servers running Windows NT in a Active Directory domain.

    #45819

    jwonnacott
    Member

    I’m probably being a bit thick here but I already have my realm in the list of realms as I added it when creating the profile, however it has the KDC as local and I cannot alter this, neither can I remove the realm.

    #45820

    amirzargaran
    Member

    Dear Fulvio
    I set this feature in my server and work very nice but when the clients authenticated with kerberos 5 realm , the redirection to the target dos not work.
    in the popup windows i can see the user authenticated and connected but the client have not the connection to the network and internet.
    are there any problem in setting?

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.