Kerberos authentication on mobile phones

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos authentication on mobile phones

Panagiotis Bariamis
Hello,
Is it possible with a squid kerberos only authentication  setup be able to authenticate ie android phones to squid?
A second question. If a non domain joined machine tries to use the proxy will there be a username password prompt where if correct credentials are presented he will be able to get a ticket to use squid? 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos authentication on mobile phones

Amos Jeffries
Administrator
On 08/05/18 10:22, Panagiotis Bariamis wrote:
> Hello,
> Is it possible with a squid kerberos only authentication  setup be able
> to authenticate ie android phones to squid?

I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it yourself.


> A second question. If a non domain joined machine tries to use the proxy
> will there be a username password prompt where if correct credentials
> are presented he will be able to get a ticket to use squid?

Maybe, unlikely though IMO. Getting a ticket requires first joining the
domain. Some client software may provide a popup and then try to contact
a DC and join a domain.

But whether a) the specific client software does that, and b) whether
info about the domain DC server is available in DNS records, and c)
whether the Kerberos realm "domain" matches the proxy DNS record domain
- all those effect the possibilities AFAIK.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos authentication on mobile phones

Panagiotis Bariamis


On Tue, May 8, 2018 at 9:03 AM, Amos Jeffries <[hidden email]> wrote:
On 08/05/18 10:22, Panagiotis Bariamis wrote:



>> A second question. If a non domain joined machine tries to use the proxy
>> will there be a username password prompt where if correct credentials
>> are presented he will be able to get a ticket to use squid?

>Maybe, unlikely though IMO. Getting a ticket requires first joining the
>domain. Some client software may provide a popup and then try to contact
>a DC and join a domain.

>But whether a) the specific client software does that, and b) whether
>info about the domain DC server is available in DNS records, and c)
>whether the Kerberos realm "domain" matches the proxy DNS record domain
>- all those effect the possibilities AFAIK.

Given the fact that all DNS entries are ok across the domain and we use MIT Kerberos ,
can a BYOD scenario be implemented ? I mean if the machine does not start a kinit session ,
will the browser start such a session and get a ticket ?

Thank you ,
Bariamis Panagiotis


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos authentication on mobile phones

Markus Moeller
In reply to this post by Amos Jeffries
You don't have to join a domain.  You only need a Kerberos authentication
server to get a ticket.

You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.

As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.

Markus

"Amos Jeffries"  wrote in message
news:[hidden email]...

On 08/05/18 10:22, Panagiotis Bariamis wrote:
> Hello,
> Is it possible with a squid kerberos only authentication  setup be able
> to authenticate ie android phones to squid?

I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it yourself.


> A second question. If a non domain joined machine tries to use the proxy
> will there be a username password prompt where if correct credentials
> are presented he will be able to get a ticket to use squid?

Maybe, unlikely though IMO. Getting a ticket requires first joining the
domain. Some client software may provide a popup and then try to contact
a DC and join a domain.

But whether a) the specific client software does that, and b) whether
info about the domain DC server is available in DNS records, and c)
whether the Kerberos realm "domain" matches the proxy DNS record domain
- all those effect the possibilities AFAIK.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos authentication on mobile phones

Markus Moeller
In reply to this post by Amos Jeffries
You don't have to join a domain.  You only need a Kerberos authentication
server to get a ticket.

You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.

As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.

Markus

"Amos Jeffries"  wrote in message
news:[hidden email]...

On 08/05/18 10:22, Panagiotis Bariamis wrote:
> Hello,
> Is it possible with a squid kerberos only authentication  setup be able
> to authenticate ie android phones to squid?

I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it yourself.


> A second question. If a non domain joined machine tries to use the proxy
> will there be a username password prompt where if correct credentials
> are presented he will be able to get a ticket to use squid?

Maybe, unlikely though IMO. Getting a ticket requires first joining the
domain. Some client software may provide a popup and then try to contact
a DC and join a domain.

But whether a) the specific client software does that, and b) whether
info about the domain DC server is available in DNS records, and c)
whether the Kerberos realm "domain" matches the proxy DNS record domain
- all those effect the possibilities AFAIK.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users