Kerberos PAC Proxy for Android Enterprise

Integrating a Kerberos proxy for Android Enterprise is essential for securing corporate networks. In this guide, we’ll explain the setup process involving a Proxy Auto-Configuration (PAC) file and the Kerberos network authentication protocol. This setup is crucial for large organizations seeking to bolster their network security and management. In this example we will use squid proxy, however, there are other commanly used solutions such as ProxySG, Zscaler, FortiGate or Cisco WSA.

The Role of Proxy Servers in Large Enterprises

Proxy servers play a pivotal role in the network architecture of big companies due to several key reasons:

  • Enhanced Security: They act as an intermediary between user devices and the internet, providing a crucial security layer that shields internal networks from direct exposure to external threats.
  • Centralized Control and Auditability: Proxies enable centralized management of internet access, allowing for comprehensive monitoring and logging of web traffic, which is essential for compliance and security auditing.
  • Content Filtering and Compliance: Large organizations use proxies to enforce internet usage policies by blocking access to non-compliant websites, thereby maintaining organizational standards and compliance.
  • Efficient Network Performance: By caching frequently accessed content, proxies reduce bandwidth usage and improve access speed, which is vital for large-scale operations.

Why Kerberos Authentication is Essential

Incorporating Kerberos into the proxy setup aligns with the security and efficiency needs of large enterprises:

  • Robust Security Mechanism: Kerberos is renowned for its strong authentication capabilities, using advanced cryptography to safeguard against unauthorized access and cyber threats.
  • Seamless User Experience with SSO: Kerberos facilitates Single Sign-On (SSO), allowing users to authenticate once and access multiple services without repeated logins, enhancing user experience in large network environments.
  • Minimized Credential Exposure: By reducing the frequency of credential input, Kerberos lowers the risk of credential theft, a significant concern in large organizations.
  • Interoperability and Scalability: Kerberos is widely supported and can be scaled to accommodate the growing needs of big companies, making it an ideal choice for enterprise-level deployment.

Setting Up a PAC Proxy with Kerberos for Android Enterprise: A Step-by-Step Guide

Prerequisites

  • Docker and Docker Compose installed on your server
  • Administrative access to your domain for Kerberos configuration
  • An MDM for managing Android devices

You can download and check out all the relevant files from the GitHub repository at https://github.com/hypergate-com/kerberos-proxy.

Configuration Steps

Start by cloning this repository to your local machine or server where you plan to run the Docker containers.

git clone https://github.com/hypergate-com/kerberos-proxy.git

Now we will need to adjust several configuration files including krb5.conf, squid.conf, and the PAC file (config.pac).

krb5.conf

The krb5.conf file specifies the realm and server details for Kerberos, setting encryption types for secure authentication. Adjusting the realm and server addresses to match your environment. This ensures that authentication requests are properly routed and encrypted, aligning with your specific domain settings:

[libdefaults]
default_realm = YOURREALM.COM
dns_lookup_kdc = no
dns_lookup_realm = no
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac

[realms]
YOURREALM.COM = {
kdc = your-domaincontroller.com
admin_server = your-domaincontroller.com$
}

[domain_realm]
.yourdomain.com = YOURREALM.COM
yourdomain.com = YOURREALM.COM

squid.conf

In the squid.conf file, we configure the Squid proxy to use Kerberos for authentication, specifying the program for negotiation and access control lists (ACLs) for authenticated users. A basic example is:

...
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/[email protected] -k /etc/squid/squid.keytab -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on 
acl authenticated proxy_auth REQUIRED
...

docker-compose.yml

Adjust the docker-compose.yml file accordingly to your needs:

version: '3'

services:
  squid:
    image: ubuntu/squid:latest # fix a version for production
    volumes:
      - ./krb5.conf:/etc/krb5.conf 
      - ./squid.conf:/etc/squid/squid.conf 
      - ./squid.keytab:/etc/squid/squid.keytab 
      - squid_cache:/var/spool/squid
    ports:
      - "3128:3128"

  pac-host:
    image: httpd:alpine
    volumes:
      - ./pac:/usr/local/apache2/htdocs
    ports:
      - "8080:80" # adjust it to your need (usually behind a webserver)
volumes:
  squid_cache:

squid.keytab

A keytab file is a secure file used in Kerberos authentication that stores encrypted keys and service identities. It allows servers to automatically authenticate to the Kerberos system without needing a password, enabling secure and automated connections. To generate the squid.keytab file for Kerberos authentication for the proxy – run the following command in the powershell on your Windows Server:

ktpass -out squid.keytab -princ HTTP/[email protected] -mapuser [email protected] -crypto RC4-HMAC -pass yourpassword -ptype KRB5_NT_PRINCIPAL

config.pac

A PAC (Proxy Auto-Configuration) file is a script used by browsers to automatically determine the appropriate proxy server for a given URL. This script, written in JavaScript, defines the function FindProxyForURL(url, host), which enables the browser to choose the most suitable proxy based on the specific website being accessed or the network conditions. Below a very basic example which puts everything matching *.yourdomain.com behind a proxy:

function FindProxyForURL(url, host) {
  if (shExpMatch(url, "*yourdomain.com/*")) {
    return "PROXY proxy.yourdomain.com:3128";
  }
  return "DIRECT";
}

Running the proxy

With all configuration files in place, start the containers with Docker Compose:

docker-compose up -d

Configure Google Chrome via MDM

Configure your Android devices in Intune to use the PAC file for their proxy settings. This involves distributing the PAC file URL (http://proxy.yourserver/config.pac) to the devices.

Adjust the managed configuration for Google Chrome to the following:

Key Description Value
ProxySettings Proxy settings
{ 
  "ProxyMode":"pac_script",
  "ProxyPacUrl":"http://proxy.yourcompany/config.pac"
}
AuthServerAllowlist Authentication server allowlist *.yourcompany.com
AuthAndroidNegotiateAccountType Account type for HTTP Negotiate authentication ch.papers.hypergate
AuthSchemes Supported authentication schemes negotiate

Conclusion

The integration of proxy servers with Kerberos authentication is a standard and strategic approach in large companies, aligning with the need for heightened security, efficient network management, and streamlined user access. This setup not only fortifies the network against external threats but also ensures a user-friendly environment conducive to large-scale corporate operations. Specifically, the inclusion of Kerberos for Android devices represents a significant advancement in mobile device management. This approach extends robust, enterprise-level security to our increasingly mobile workforce, ensuring that both Android and desktop users benefit from secure, seamless access. This harmonization of security protocols across devices underscores a commitment to comprehensive network security and a unified user experience, essential in today’s interconnected corporate landscape.

Similar Stories