ProxySG - Configuring IWA Kerberos and SSL Interception on a Debian host

book

Article ID: 171211

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When it comes to Linux, the use-cases are large.  If, for whatever reason, you want to configure a Linux-based host machine to play nice with an ASG/ProxySG, with working IWA Authentication, and Transparent SSL Interception, this article will detail how to accomplish this.

Environment

This article will assume you are working with the following environment

  1.   A working host running a vanilla install of Debian 8 "Jessie", Debian 9 "Stretch", or Debian 10 "Buster".
  2.   A ProxySG (tested with an SG300)
  3.   A working AD environment already configured for Kerberos Authentication.
  4.   A ProxySG or ASG that is already configured as a Domain Member for IWA Direct.

 

Resolution

- - -  -  -  -  -   -   -    -    -     -     -

IMPORTANT:

  • This article is not an official Symantec document and is meant as a courtesy for anyone looking for details on how to configure a Linux based host, to accommodate SSL Decryption and IWA Kerberos Authentication, with a ProxySG or ASG appliance. 
  • This article is here for reference and minor guidance only.
  • Please know that anyone looking to accomplish the goals outlined in the article, do so by their own devices.  Issues that are encountered when trying to follow these instructions will be up to the reader to troubleshoot and resolve.  This does not endorse nor advertise Symantec support of Debian or any other Linux based platform. 
  • For any support concerning Linux, it is recommended you first consult the home-page of the distribution you are attempting to configure.

 

- - -  -  -  -  -   -   -    -    -     -     -

INITIAL STEPS:

  • Boot the Debian host.  A non-root user account should have been configured during the install process.  If not, that is going to be necessary.  Booted to the desktop and create a non-root user now, by opening a terminal and issuing:

adduser <username>  * follow the prompts to create a password for the new user. 

  • Now, make sure sudo is installed:

apt -y install sudo

  • If the output indicates 0 packages marked for install, then sudo is there and the account just needs to be added to the sudo group:

usermod -aG sudo <username>

  • Once this is complete, and if no errors are returned, log out of your session and log in as the new user.

 

- - -  -  -  -  -   -   -    -    -     -     -

UPDATE THE HOST:

  • When back at the desktop, open a new terminal and make sure the system is up to date:

sudo apt-get update

sudo apt-get upgrade && sudo apt-get dist-upgrade

  • When this completes (it could take some time) it is sometimes necessary to reboot and ensure the updates/upgrades didn't break anything:

sudo reboot

  • Everything that has been done up to this point is pretty much standard Linux configuration for any new install.  Any existing Debian host will likely already have all prior steps squared away and can move on to the next section.

 

- - -  -  -  -  -   -   -    -    -     -     -

INSTALL PACKAGES FOR ACTIVE DIRECTORY INTEGRATION:

  • When logged into the system as the new user, ensure to configure the network settings on the Debian host, to query against the AD DNS servers.  This is important.

 

  • Now, start installing the packages that will allow us to communicate/interact with Active Directory:

sudo apt -y install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs resolvconf libsss-sudo

  • Enable sssd on startup:

sudo systemctl enable sssd

sudo systemctl start sssd

  • * note that you may receive an error when starting sssd for the first time.  This is expected for now.  This will be resolved when you join the domain.

 

  • At this point, the article will assume the reader maintains valid domain credentials, and that the proxy is integrated and already a member of the domain.  See TECH241641 for information on IWA Direct.
    • https://support.symantec.com/en_US/article.TECH241641.html

- - -  -  -  -  -   -   -    -    -     -     -

VERIFY DOMAIN VISIBILITY:

  • Now let’s make sure the Debian host can see the domain:

sudo realm discover <domain>  * replace <domain> with your ad domain.

 

  • You should see the domain returned with a few requirements and capabilities.  If this is the case then proceed.  If you are not seeing your domain returned, it means there is an error.  Ensure you are on a network with access to the Domain Controller and DNS servers.

- - -  -  -  -  -   -   -    -    -     -     -

JOIN THE DOMAIN:

  • Join the domain:

sudo realm join --user=<ad-username> <domain>  * replace <domain>  with your ad-domain, and <ad-username> with your active directory username.  EXAMPLE:

  • sudo realm join --user=john.doe johns.domain.com  * where [email protected] would be your FQDN and johns.domain.com your domain.

 

  • If this works, there should be no returned output.  If you receive an error, check your network configuration and ensure you can reach the DC and that your ad-account is valid.

 

  • Now start the sssd service:

sudo systemctl start sssd

 

- - -  -  -  -  -   -   -    -    -     -     -

VERIFY DOMAIN MEMBERSHIP:

  • If there are no errors up to now, then it is going great.  Check for domain credentials on the Debian host:

sudo getent passwd <ad-username>  * replace ad-username with your active directory users FQDN

  • If the returned output contains your active directory user, then it worked.

- - -  -  -  -  -   -   -    -    -     -     -

OPTIONALLY DISABLE FQDN REQUIREMENT:

Disabling use of FQDN for usernames can make logging in easier; you can modify the sssd.conf file to not require the FQDN of your AD user:

su  * for this you need to be root

nano /etc/sssd/sssd.conf

  •     Modify the use_fully_qualified_name to False

exit  * no need to be root

 

- - -  -  -  -  -   -   -    -    -     -     -

TIE UP LOOSE ENDS:

  • There are a couple more things to hit before logging in with an AD user for the first time.  These are extremely helpful and can save a lot of time managing permissions and account settings.

 

  • Configure Debian to automatically create a home directory for any domain user that is logging in for the first time:

echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session

  • Now make sure to grant domain administrators sudo privileges, automatically, when logging in for the first time:

echo "%domain\ [email protected] ALL=(ALL) ALL" | sudo tee -a /etc/sudoers.domain_admins   *replace example.com with your ad domain.

 

- - -  -  -  -  -   -   -    -    -     -     -

LOG-IN WITH YOUR DOMAIN USER:

  • At this point, it is safe to log out of the local user account, and log in with an AD account.  This will create a home directory, and assign the AD user to the sudo group (assuming they are an admin in AD).

 

  • When the desktop loads, check that Kerberos is working by opening a terminal and issuing:

klist

  • If everything is working, you should see output that looks something like:

    Valid starting       Expires              Service principal           
  03/12/2018 13:46:41  03/12/2018 23:46:41  krbtgt/example.com@example.com
           renew until 03/13/2018 13:46:38                                

  • If there is no output returned, then request a new ticket by issuing:

 kinit

  • This will prompt for your AD password, and should provide a ticket.  Verify it's working by issuing klist again.

 

- - -  -  -  -  -   -   -    -    -     -     -

CONFIGURE FIREFOX FOR KERBEROS AUTHENTICATION:

  • Open Firefox browser (Firefox ESR is included with Debian as of writing this) and in the URL bar navigate to

about:config

  • Accept the risk and when the page loads, type in the search field "negotiate"

 

  • Look for the following argument: "network.negotiate-auth.trusted-uris"

 

  • This should be edited to reflect the virtual URL of your proxy

 

- - -  -  -  -  -   -   -    -    -     -     -

INSTALL JAVA FOR MANAGING YOUR APPLIANCE:

  • Unfortunately, Debian does not come with a version of Java that can handle the Proxies JNLP files, out of the box.  Instead, purge the system of the openjdk it comes with, and install the oracle java package instead.  This cannot be downloaded from the non-free repositories so it is best to download the tarball from oracle directly.

 

  • To start, remove all the preloaded java packages shipped with Debian:

sudo apt -y remove java* && sudo apt remove openjdk* && sudo apt remove icedtea*

sudo apt autoremove

sudo apt clean

* Be sure to choose the version applicable for your architecture i.e. amd64 / x86

  • Next, open a new terminal and issue:

cd /home/username/Downloads && sudo apt -y install java-package

  • When that finishes, issue:

make-jpkg <downloaded-java-file>.tar.gz  * the java binary file should be replaced with the name of the tarball you downloaded from the oracle link above.

  • When this completes, you will be left with the original tar.gz file, as well as a new .deb file.  Now issue:

sudo dpkg -i <java .deb package>  * same as above, replace java .deb package with the new .dep file that was produced by the previous command.

  • This will proceed to install java and will take around a minute or two to complete.  When that is finished you can issue the following command to ensure you are running on the version you just installed:

sudo update-alternatives --config java  * Verify the output reflects the version of java you just installed. 

  • At this point Java should be working.   

 

- - -  -  -  -  -   -   -    -    -     -     -

ENABLE SSL INTERCEPTION IN FIREFOX:

  • Wrapping up, the only other tasks are to configure browser settings to accommodate your proxy configuration.  For SSL Decryption, there may be unstable results with attempting to trust the proxies certificate in the systems root store as a CA, especially when trying to deploy explicit proxy on a system-wide level.  Because of this, I recommend Firefox since it leverages its own certificate store and proxy configuration.  This makes testing a lot easier. 


- - -  -  -  -  -   -   -    -    -     -     -

TIPS:

If you are ever prompted for basic authentication in your browser, instead of using Kerberos, simply open a new console and issue kinit followed by your password.  Close and re-open the browser and authentication should be working again.

If you encounter rendering problems running on Nvidia proprietary drivers with the java JNLP file or web applet, I recommend upgrading to Debian 10 "Buster" as it seems the issues were resolved from Debian 8/9 & Java 8.  This may not apply to everyone, or anyone, but it worked for me.

If you are running KDE as your Display Manager w/SDDM, I noticed that I had to install an alternate SDDM theme in order to get the "Other User" option to show up when logging out.  Initially it was preventing me from logging in with any other user aside from my local account.  It is easy enough to just issue:

    sudo apt-get install sddm-*

This will add a whopping ~6 themes to your settings.  Using Breeze seems to be fine.  Test and choose for yourself, if this is needed.