Forums

Resolved
0 votes
Keep getting "Access denied - authentication required"

Evaluating ClearOS v7 appliance in vmware 6.0 environment.
COS in Gateway mode with modules:
Content Filter Engine 2.3.0-1,
Web Access Control 2.1.6-1
Web Proxy Server 2.3.4-1
Active Directory Connector 2.2.1-1
against AD DCs on 2012R2 server
Joined AD perfectly fine.
Successfully imported Users and Groups.

Trying to follow the setup guide for Web Proxy as best I can. It doesn't seem to be AD oriented...
Added "test" app policy for the "is_dept" group with nothing in it.
Added Access Control List working hours allowed
Web Proxy Server configured for Non-Transparent mode with User Authentication + NTLM
Also tested the other Authentication methods, none work!

Under System->Accounts->Users (mike), there is a header "App Policies" with the value "Web Proxy User: Disabled".
Seems relevant, but I can't find a place to enable it.

I would like to be able to do 2 things: filter sites like Facebook and content like Porn. And have the user's browser automatically authenticate (without popup). Our current Squid was carefully configured to do this but it was a pain.
Thursday, March 01 2018, 09:59 PM
Share this post:
Responses (9)
  • Accepted Answer

    Friday, March 02 2018, 06:33 PM - #Permalink
    Resolved
    0 votes
    Ah, so I did overlook it in docs. Thanks for the heads-up.

    I don't know whether the group existed in Cos before I made one in AD. I prefer to manage it in AD anyway. The only place I see web_proxy_plugin is under Web Proxy Server, Global Policy group name. View Members doesn't seem to sync visually, as I cleared the AD group out and the users showed up. But I embedded our department group in the AD group and my tester is still working after stopping and restarting. Light at the end of the tunnel...
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 05:31 PM - #Permalink
    Resolved
    0 votes
    The doc's I linked you to suggest that the web_proxy_plugin group should pre-exist but it does not say where. When you added the group, was that in ClearOS or AD? If it was in AD, do you know if it already existed in ClearOS?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 05:25 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Yes, I started with those docs when I first set the system up--I didn't see anything in them helped in this scenario. BUT!!

    I dug around in the weeds and in the /etc/squid/squid_auth.conf file:
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD+web_proxy_plugin

    it does seem to require membership in a group called web_proxy_plugin. I never saw this in the docs.

    Just to tinker, I changed the group to one already in my AD and found it worked--with no authentication popup. Good news!

    I changed it back, created a web_proxy_plugin group to AD, added myself and voila it still works. So I think I'm back in business here...

    I guess the docs need to be updated, or did I just miss it?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 04:57 PM - #Permalink
    Resolved
    0 votes
    All I can do now is work my way through any docs. From the first link I gave you, have you checked the AD Connector? Also have you checked that your users are members of the web_proxy_plugin group?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 04:22 PM - #Permalink
    Resolved
    0 votes
    When I checked the Windows Networking Samba plugin, I see its status is Stopped. It will not stay Running for more than a second. Just poking thru the available Log files, I see something looks important (but maybe not related to samba):

    squid/cache.log:
    Winbindd lookupname failed to resolve AD+web_proxy_plugin into a SID!
    GENSEC login failed: NT_STATUS_INVALID_PARAMETER
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 03:38 PM - #Permalink
    Resolved
    0 votes
    Windows Networking (Samba) is needed for NTLM authentication. From your comment, it looks like you have now initialized it. Is that correct?

    Is your browser configured to use the proxy on port 8080?

    [edit]
    Posts crossed.
    I have little troubleshooting experience here. I'll have to give it a go sometime.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 03:23 PM - #Permalink
    Resolved
    0 votes
    I just noticed I missed a question. Yes, clients are pointed to the server on port 8080. They are getting "prettified" responses back from the server, so I know communications is working there. I'm checking out those links and will report any interesting results. Thanks #2.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 03:20 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Thanks for the dup cleanup help. The popup message that lets you know posts need moderator approval disappeared so quickly the first time, I didn't see it. I wonder if that could be set to stay on, it would be a big help with dups.

    I didn't have Windows Networking Samba plugin installed, only Active Directory Connector. I added that, and it had Windows 10 Domain Logons enabled by default.

    The Web Proxy User setting under App Policies of my user still shows disabled. My client test still gets denied / authentication required. I should add my client is Windows 7, Chrome 64.0.3282.186 32-bit
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 02 2018, 08:48 AM - #Permalink
    Resolved
    0 votes
    Hi Mike, welcome to the forum. As a new user your first couple of posts need moderator approval so don't appear immediately. This unfortunately means many new users repeat their posts when they don't see them. I'm deleting your duplicate post just to tidy things up.

    Can I ask if you've switched your browser to the proxy port 8080?
    There are a couple of potentially useful links here and here.

    Unfortunately, I don't use the proxy or AD so I can't advise much, but I am a little surprised that you cannot enable the User policy entry but (guessing) that may be to do with the NTLM setting.

    Can I ask if, in the Windows Networking (Samba) config you enabled "Windows 10 Domain Logons"? This is key to getting NTLM to work in Win10.
    The reply is currently minimized Show
Your Reply