html
Integrating Squid with Windows Kerberos Authentication
Setting up transparent Kerberos authentication between Squid proxy and Windows clients (especially Windows 7 against Windows Server 2008) presents unique challenges. While NTLM authentication is possible, it requires manual registry edits on each client machine - a dealbreaker for enterprise environments.
Microsoft has recommended Kerberos as the primary authentication protocol since Windows 2000. It offers:
- True single sign-on capability
- Stronger security than NTLM
- No client-side configuration changes
# Required packages on Squid server (Debian/Ubuntu example):
sudo apt-get install squid krb5-user libkrb5-dev gss-ntlmssp
Here's the critical squid.conf configuration:
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/proxy.yourdomain.com@YOURDOMAIN.COM
auth_param negotiate children 5
auth_param negotiate keep_alive on
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
Create the service principal on your Windows Domain Controller:
ktpass -princ HTTP/proxy.yourdomain.com@YOURDOMAIN.COM -mapuser SQUIDPROXY$ -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out squid.keytab
For Windows clients to work properly:
- Ensure the proxy FQDN matches exactly the SPN
- Verify time synchronization between clients and domain
- Check DNS resolution is working correctly
Use these commands to diagnose issues:
# Check keytab validity
klist -k /etc/squid/squid.keytab
# Test authentication directly
/usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/proxy.yourdomain.com@YOURDOMAIN.COM
For high-traffic environments, consider these tweaks:
auth_param negotiate children 20
auth_param negotiate idle_timeout 300
auth_param negotiate credentialsttl 5 minutes
Special thanks to Markus Moeller from the Squid mailing lists for his invaluable assistance in making this work reliably.
While NTLM authentication has been the traditional choice for Windows environments, Microsoft has actively discouraged its use since Windows 2000. The key limitations include:
- Requires registry modifications on each client machine
- Security vulnerabilities in older NTLM versions
- Lack of mutual authentication capability
Before implementation, ensure you have:
- Active Directory Domain Controller (Windows 2008 recommended) - Squid server (3.5 or later) with GSSAPI support - Properly configured DNS (forward and reverse lookups) - Service Principal Names (SPNs) configured
1. Active Directory Setup
Create a dedicated account for Squid in AD:
# PowerShell command New-ADUser -Name "SquidProxy" -SamAccountName "squidproxy" -UserPrincipalName "squidproxy@YOURDOMAIN.COM" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true
2. Configure SPN
Set Service Principal Names for the squid service:
setspn -A HTTP/proxy.yourdomain.com YOURDOMAIN\squidproxy setspn -A HTTP/proxy.yourdomain.com:3128 YOURDOMAIN\squidproxy
3. Generate Keytab File
On a domain controller:
ktpass -princ HTTP/proxy.yourdomain.com@YOURDOMAIN.COM -mapuser YOURDOMAIN\squidproxy -crypto AES256-SHA1 -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out c:\temp\squidproxy.keytab
4. Squid Configuration
Edit squid.conf with these parameters:
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s /etc/squid/squid.keytab -k auth_param negotiate children 5 auth_param negotiate keep_alive on acl authenticated proxy_auth REQUIRED http_access allow authenticated
For Windows clients, ensure:
- Client machines are domain-joined
- IE/LAN settings configured to automatically detect proxy
- Proxy server address set in group policy
If authentication fails:
# Check Squid logs tail -f /var/log/squid/cache.log # Verify ticket granting kinit -k -t /etc/squid/squid.keytab HTTP/proxy.yourdomain.com # Test SPN resolution nslookup proxy.yourdomain.com
For optimal performance:
# Recommended settings for medium traffic auth_param negotiate children 10 startup=3 idle=1 external_acl_type check_kerb %LOGIN /usr/lib/squid/negotiate_kerberos_auth -d