Integrating a Kerberos proxy for Android Enterprise is essential for securing corporate networks. In this guide, we’ll explain the setup process involving a Proxy Auto-Configuration (PAC) file and the Kerberos network authentication protocol. This setup is crucial for large organizations seeking to bolster their network security and management. In this example we will use squid proxy, however, there are other commanly used solutions such as ProxySG, Zscaler, FortiGate or Cisco WSA.
The Role of Proxy Servers in Large Enterprises
Proxy servers play a pivotal role in the network architecture of big companies due to several key reasons:
- Enhanced Security: They act as an intermediary between user devices and the internet, providing a crucial security layer that shields internal networks from direct exposure to external threats.
- Centralized Control and Auditability: Proxies enable centralized management of internet access, allowing for comprehensive monitoring and logging of web traffic, which is essential for compliance and security auditing.
- Content Filtering and Compliance: Large organizations use proxies to enforce internet usage policies by blocking access to non-compliant websites, thereby maintaining organizational standards and compliance.
- Efficient Network Performance: By caching frequently accessed content, proxies reduce bandwidth usage and improve access speed, which is vital for large-scale operations.
Why Kerberos Authentication is Essential
Incorporating Kerberos into the proxy setup aligns with the security and efficiency needs of large enterprises:
- Robust Security Mechanism: Kerberos is renowned for its strong authentication capabilities, using advanced cryptography to safeguard against unauthorized access and cyber threats.
- Seamless User Experience with SSO: Kerberos facilitates Single Sign-On (SSO), allowing users to authenticate once and access multiple services without repeated logins, enhancing user experience in large network environments.
- Minimized Credential Exposure: By reducing the frequency of credential input, Kerberos lowers the risk of credential theft, a significant concern in large organizations.
- Interoperability and Scalability: Kerberos is widely supported and can be scaled to accommodate the growing needs of big companies, making it an ideal choice for enterprise-level deployment.
Setting Up a PAC Proxy with Kerberos for Android Enterprise: A Step-by-Step Guide
Prerequisites
- Docker and Docker Compose installed on your server
- Administrative access to your domain for Kerberos configuration
- An MDM for managing Android devices
You can download and check out all the relevant files from the GitHub repository at https://github.com/hypergate-com/kerberos-proxy.
Configuration Steps
Start by cloning this repository to your local machine or server where you plan to run the Docker containers.
git clone https://github.com/hypergate-com/kerberos-proxy.git
Now we will need to adjust several configuration files including krb5.conf, squid.conf, and the PAC file (config.pac).
krb5.conf
The krb5.conf file specifies the realm and server details for Kerberos, setting encryption types for secure authentication. Adjusting the realm and server addresses to match your environment. This ensures that authentication requests are properly routed and encrypted, aligning with your specific domain settings:
[libdefaults]
default_realm = YOURREALM.COM
dns_lookup_kdc = no
dns_lookup_realm = no
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
[realms]
YOURREALM.COM = {
kdc = your-domaincontroller.com
admin_server = your-domaincontroller.com$
}
[domain_realm]
.yourdomain.com = YOURREALM.COM
yourdomain.com = YOURREALM.COM
squid.conf
In the squid.conf file, we configure the Squid proxy to use Kerberos for authentication, specifying the program for negotiation and access control lists (ACLs) for authenticated users. A basic example is:
... auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/[email protected] -k /etc/squid/squid.keytab -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on acl authenticated proxy_auth REQUIRED ...
docker-compose.yml
Adjust the docker-compose.yml file accordingly to your needs:
version: '3'
services:
squid:
image: ubuntu/squid:latest # fix a version for production
volumes:
- ./krb5.conf:/etc/krb5.conf
- ./squid.conf:/etc/squid/squid.conf
- ./squid.keytab:/etc/squid/squid.keytab
- squid_cache:/var/spool/squid
ports:
- "3128:3128"
pac-host:
image: httpd:alpine
volumes:
- ./pac:/usr/local/apache2/htdocs
ports:
- "8080:80" # adjust it to your need (usually behind a webserver)
volumes:
squid_cache:
squid.keytab
A keytab file is a secure file used in Kerberos authentication that stores encrypted keys and service identities. It allows servers to automatically authenticate to the Kerberos system without needing a password, enabling secure and automated connections. To generate the squid.keytab file for Kerberos authentication for the proxy – run the following command in the powershell on your Windows Server:
ktpass -out squid.keytab -princ HTTP/[email protected] -mapuser [email protected] -crypto RC4-HMAC -pass yourpassword -ptype KRB5_NT_PRINCIPAL
config.pac
function FindProxyForURL(url, host) {
if (shExpMatch(url, "*yourdomain.com/*")) {
return "PROXY proxy.yourdomain.com:3128";
}
return "DIRECT";
}
Running the proxy
With all configuration files in place, start the containers with Docker Compose:
docker-compose up -d
Configure Google Chrome via MDM
Configure your Android devices in Intune to use the PAC file for their proxy settings. This involves distributing the PAC file URL (http://proxy.yourserver/config.pac) to the devices.
Adjust the managed configuration for Google Chrome to the following:
| Key | Description | Value |
|---|---|---|
| ProxySettings | Proxy settings |
{
"ProxyMode":"pac_script",
"ProxyPacUrl":"http://proxy.yourcompany/config.pac"
}
|
| AuthServerAllowlist | Authentication server allowlist | *.yourcompany.com |
| AuthAndroidNegotiateAccountType | Account type for HTTP Negotiate authentication | ch.papers.hypergate |
| AuthSchemes | Supported authentication schemes | negotiate |
Conclusion
The integration of proxy servers with Kerberos authentication is a standard and strategic approach in large companies, aligning with the need for heightened security, efficient network management, and streamlined user access. This setup not only fortifies the network against external threats but also ensures a user-friendly environment conducive to large-scale corporate operations. Specifically, the inclusion of Kerberos for Android devices represents a significant advancement in mobile device management. This approach extends robust, enterprise-level security to our increasingly mobile workforce, ensuring that both Android and desktop users benefit from secure, seamless access. This harmonization of security protocols across devices underscores a commitment to comprehensive network security and a unified user experience, essential in today’s interconnected corporate landscape.
