Howto: Squid + msnt_auth + Active Directory

I recently rebuilt our main proxy server at work and decided to get some sort of authentication mechanism installed. With Squid version 2.5 and above they have built-in external “helper” programs, one of which is msnt_auth which is far easier to get to work against an active directory domain than ntlm_auth. CAVEAT, this does not work with transparent proxying, however, this works very well if you autoconfig browsers or use group policy to point the machines on your network to the squid box. The following steps are what I did to get it to work.

First, download the latest stable source from here, then untar/unzip the file to your build directory. Read the documentation on all the configure options you want to include in the build but make sure you add the following:

(./configure) —enable-basic-auth-helpers=MSNT

Then run: make && make install && make clean

If all goes well, you can jump right into configuring your squid.conf file. Locate the auth_param section and set the following lines:

auth_param basic program /usr/local/libexec/squid/msnt_auth
auth_param basic children 5
auth_param basic realm Internet Access
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Next, under the external_acl_type add a line that resembles this:

external_acl_type{acl name}%LOGIN /usr/local/libexec/squid/msnt_auth

Now match the acl name by adding the following line under your actual acl section:

acl {acl name} proxy_auth REQUIRED

And to finalize the squid.conf entries, add an acl line to your http_access section that looks like this:

http_access allow {acl name}

Make sure this acl is the first one after the line that reads:

http_access deny CONNECT !SSL_ports

Otherwise, users will not be prompted, but the cache will still work normally.

Now save the squid.conf file and locate your msntauth.conf file. This file is self explanatory but I will add the syntax here as well.

server mydc1 mydc1 mydomain.org

server mydc2 mydc2 mydomain.org

The last and final piece of this is to make sure you add the hostnames of your controllers and their IP’s to your hosts file (/etc/hosts), otherwise the squid box won’t know where to locate them to attempt authentication.

That’s it. There are of course other things that you will need to do to your squid.conf file like setting the cache size, server name, memory size, listening ports etc., but you can read the FAQ’s at squid-cache.org for what else needs to be configured prior to launching squid for the first time.

Once you fire up squid, point your browser to the port you set in squid.conf and test it. You should recieve a popup window to login. Since you already set your server name and domain name in the msntauth.conf file, you just need to enter your username and password, the same one you use to login to the domain.

You can add calamari or use SARG to configure the output and viewing of your log files. All logs will now have the username attached, instead of the dns name or IP address of the machine.

Look for another blog entry to add DansGuardian on top of squid as a content filter for CIPA compliance…

Leave a Reply

Your email address will not be published. Required fields are marked *