{% extends 'squid/auth/active_directory.html' %} {% block auth_ad_scheme_krb5 %}class="active"{%endblock%} {% block tab_content %}

Kerberos is the most secure authentication scheme in Active Directory. Kerberos authentication is done by running the authenticator as specially configured user from your Active Directory as explained in the documentation. Please read it carefully and understand what you are doing before enabling Kerberos authentication!

{% if form.non_field_errors %}
ERROR: {% for error in form.non_field_errors %} {{ error|escape }} {% endfor %}
{% endif %}
{% csrf_token %}
{{form.realm}}
{% if form.realm.errors %} {{form.realm.errors|striptags}} {% else %} Specify the Kerberos realm your proxy users belong to. This is typically the name of your domain written in UPPERCASE. For example if your domain name is example.lan then the Kerberos realm is EXAMPLE.LAN. Click the wizard button to try autodetection based on your DNS and DHCP settings. {%endif%}
{{form.krb5_spn}}
{% if form.krb5_spn.errors %} {{form.krb5_spn.errors|striptags}} {% else %} Specify here Service Principal Name (SPN) for this proxy. It is usually constructed from the hostname of the proxy and Kerberos realm automatically. For example, HTTP/proxy.example.lan@EXAMPLE.LAN (case is important). Click the wizard button to try autodetection based on your DNS and DHCP settings. {%endif%}
{{form.keytab}} {% if form.keytab.errors %} {{form.keytab.errors|striptags}} {% else %} Specify here the KeyTab file you have generated for the above mentioned Service Principal Name (SPN). The keytab contains entries required to do the Kerberos authentication and is the most vital component of the authentication scheme. See documentation of how to generate it. {% if object.keytab_exists %}Currently uploaded key tab can be downloaded by clicking here.{%endif%} {%endif%}
{{form.krb5_helper_total}}
{% if form.krb5_helper_total.errors %} {{form.krb5_helper_total.errors|striptags}} {% else %} Total number of authentication helpers to run. It is recommended to set it equal to the approximate number of proxy users in your network. {%endif%}
{{form.krb5_helper_idle}}
{% if form.krb5_helper_idle.errors %} {{form.krb5_helper_idle.errors|striptags}} {% else %} Idle number of authentication helpers to run. It is recommended to make it equal to approximately 1/2 of the total number of users in your network. {%endif%}
{{form.krb5_helper_startup}}
{% if form.krb5_helper_startup.errors %} {{form.krb5_helper_startup.errors|striptags}} {% else %} Number of authentication helpers to run at startup of Squid. It is recommended to make it equal to approximately 1/4 of the total number of users in your network. {%endif%}

Technical Info for Kerberos Authenticator

Contents of currently uploaded /opt/websafety/etc/krb5.keytab and automatically constructed /opt/websafety/etc/krb5.conf are shown below.

{{keytab}}
{{krb5conf}}

Active Directory authentication result (running of kinit) for the above key tab and Kerberos configuration file.

{{kinit_output}}

Active Directory KVNO keytab check result (looking up of msDS-KeyVersionNumber value in LDAP and comparing it with the value stored in key tab file).

{{kvno_output}}
{% endblock %}