From cad2df28cce732248d9ea8a33f374307dcce6c9c Mon Sep 17 00:00:00 2001 From: evbevz Date: Mon, 25 Sep 2017 12:49:49 +0400 Subject: [PATCH] www/web-proxy-sso: Smart-Soft Proxy SSO plugin (#266) (cherry picked from commit e2a42db535c2c5ea8682fe1ea1875428976c117f) (cherry picked from commit 74166077c946e087451051749a96804aa6613074) (cherry picked from commit 94df25e89c321a300bb2dce491cddc4a6fe377aa) (cherry picked from commit c75320efc2b384f1b15587b35e585c8ac71c6513) (cherry picked from commit 2d603f3171c2488b38a119b38b4755d675f92c06) (cherry picked from commit 14e1595f4a6df107510c7122beed386e6c4c7782) --- LICENSE | 2 +- README.md | 2 +- www/web-proxy-sso/+POST_DEINSTALL.post | 4 + www/web-proxy-sso/Makefile | 10 +- .../src/etc/inc/plugins.inc.d/proxy_sso.inc | 15 + .../ProxySSO/Api/ServiceController.php | 262 ++++++++++++++++++ .../ProxySSO/Api/SettingsController.php} | 17 +- .../OPNsense/ProxySSO/IndexController.php | 16 ++ .../OPNsense/ProxySSO/forms/checklist.xml | 69 +++++ .../OPNsense/ProxySSO/forms/general.xml | 14 + .../ProxySSO/forms/testing_create.xml | 18 ++ .../OPNsense/ProxySSO/forms/testing_test.xml | 12 + .../SSOProxyAD/Api/ServiceController.php | 105 ------- .../SSOProxyAD/Api/SettingsController.php | 52 ---- .../OPNsense/SSOProxyAD/IndexController.php | 39 --- .../OPNsense/SSOProxyAD/forms/general.xml | 33 --- .../app/library/OPNsense/Auth/SSOProxyAD.php | 73 ----- .../models/OPNsense/ProxySSO/Menu/Menu.xml | 7 + .../app/models/OPNsense/ProxySSO/ProxySSO.php | 9 + .../app/models/OPNsense/ProxySSO/ProxySSO.xml | 20 ++ .../models/OPNsense/SSOProxyAD/ACL/ACL.xml | 9 - .../models/OPNsense/SSOProxyAD/Menu/Menu.xml | 7 - .../models/OPNsense/SSOProxyAD/SSOProxyAD.xml | 43 --- .../app/views/OPNsense/ProxySSO/index.volt | 170 ++++++++++++ .../app/views/OPNsense/SSOProxyAD/index.volt | 82 ------ .../OPNsense/ProxySSO/kerberos_test.sh | 27 ++ .../OPNsense/ProxySSO/squid-gen-keytab.sh | 41 +++ .../OPNsense/SSOProxyAD/joinDomain.php | 90 ------ .../OPNsense/SSOProxyAD/testConnection.py | 42 --- .../OPNsense/SSOProxyAD/updateDomain.php | 71 ----- .../conf/actions.d/actions_proxysso.conf | 23 ++ .../conf/actions.d/actions_ssoproxyad.conf | 17 -- .../OPNsense/Proxy/squid.user.alt_auth.conf | 14 - .../templates/OPNsense/ProxySSO/+TARGETS | 3 + .../OPNsense/ProxySSO/kerberos.sso.conf | 20 ++ .../templates/OPNsense/ProxySSO/krb5.conf | 38 +++ .../templates/OPNsense/ProxySSO/rc.conf.d | 3 + .../templates/OPNsense/SSOProxyAD/+TARGETS | 2 - .../templates/OPNsense/SSOProxyAD/krb5.conf | 33 --- .../templates/OPNsense/SSOProxyAD/rc.conf | 11 - 40 files changed, 791 insertions(+), 734 deletions(-) create mode 100644 www/web-proxy-sso/+POST_DEINSTALL.post create mode 100644 www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php rename www/web-proxy-sso/src/opnsense/mvc/app/{models/OPNsense/SSOProxyAD/SSOProxyAD.php => controllers/OPNsense/ProxySSO/Api/SettingsController.php} (74%) create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/IndexController.php create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/checklist.xml create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/general.xml create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_create.xml create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_test.xml delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/ServiceController.php delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/SettingsController.php delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/IndexController.php delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/forms/general.xml delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/library/OPNsense/Auth/SSOProxyAD.php create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.php create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/ACL/ACL.xml delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/Menu/Menu.xml delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.xml create mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/ProxySSO/index.volt delete mode 100644 www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/SSOProxyAD/index.volt create mode 100755 www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/kerberos_test.sh create mode 100755 www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/squid-gen-keytab.sh delete mode 100755 www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php delete mode 100755 www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py delete mode 100755 www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php create mode 100644 www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_proxysso.conf delete mode 100644 www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_ssoproxyad.conf delete mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/Proxy/squid.user.alt_auth.conf create mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/+TARGETS create mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/kerberos.sso.conf create mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/krb5.conf create mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/rc.conf.d delete mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/+TARGETS delete mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/krb5.conf delete mode 100644 www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/rc.conf diff --git a/LICENSE b/LICENSE index 7a7811f0f..b90a6a524 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,3 @@ -Copyright (c) 2016 Copyright (c) 2015-2016 Ad Schellevis Copyright (c) 2005-2008 Bill Marquette Copyright (c) 2005-2006 Colin Smith @@ -21,6 +20,7 @@ Copyright (c) 2012 Pierre POMES Copyright (c) 2004-2012 Scott Ullrich Copyright (c) 2010 Seth Mos Copyright (c) 2008 Shrew Soft Inc. +Copyright (c) 2017 Smart-Soft Copyright (c) 2013 Stanley P. Miller \ stan-qaz Copyright (c) 2004-2005 T. Lechat Copyright (c) 2010 Yehuda Katz diff --git a/README.md b/README.md index 5c7288ed0..95daa1033 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only fo security/tinc -- Tinc VPN security/tor -- The Onion Router www/c-icap -- c-icap connects your Proxy with a virus scanner -www/web-proxy-sso -- Add SSO Active Directory to use in Proxy +www/web-proxy-sso -- Kerberos authentication module ``` A brief description of how to use the plugins repository diff --git a/www/web-proxy-sso/+POST_DEINSTALL.post b/www/web-proxy-sso/+POST_DEINSTALL.post new file mode 100644 index 000000000..efd38ab66 --- /dev/null +++ b/www/web-proxy-sso/+POST_DEINSTALL.post @@ -0,0 +1,4 @@ +rm -f /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf +if [ -f /var/run/squid/squid.pid ]; then + configctl proxy reconfigure +fi diff --git a/www/web-proxy-sso/Makefile b/www/web-proxy-sso/Makefile index c18ec3646..299ab7361 100644 --- a/www/web-proxy-sso/Makefile +++ b/www/web-proxy-sso/Makefile @@ -1,9 +1,9 @@ PLUGIN_NAME= web-proxy-sso -PLUGIN_VERSION= 0.3 -PLUGIN_REVISION= 1 -PLUGIN_COMMENT= Add SSO Active Directory to use in Proxy -PLUGIN_DEPENDS= msktutil -PLUGIN_MAINTAINER= gitdevmod@github.com +PLUGIN_VERSION= 1.3 +PLUGIN_COMMENT= Kerberos authentication module +PLUGIN_DEPENDS= msktutil cyrus-sasl-gssapi +PLUGIN_MAINTAINER= evbevz@gmail.com +PLUGIN_WWW= https://smart-soft.ru PLUGIN_DEVEL= yes .include "../../Mk/plugins.mk" diff --git a/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc b/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc new file mode 100644 index 000000000..ba4bd8c1d --- /dev/null +++ b/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc @@ -0,0 +1,15 @@ + ['proxy_sso_squid_hook:2'], + ]; +} + +function proxy_sso_squid_hook($verbose, $action) +{ + if($action == "reconfigure") { + configd_run('template reload OPNsense/ProxySSO'); + } +} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php new file mode 100644 index 000000000..0815a2d69 --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php @@ -0,0 +1,262 @@ +configdRun("proxysso showkeytab"); + return array("response" => $response,"status" => "ok"); + } + + /** + * delete Kerberos keytab for Proxy + * @return array + */ + public function deletekeytabAction() + { + $backend = new Backend(); + + $response = $backend->configdRun("proxysso deletekeytab"); + return array("response" => $response,"status" => "ok"); + } + + /** + * create Kerberos keytab for Proxy + * @return array + */ + public function createkeytabAction() + { + if ($this->request->isPost()) { + $backend = new Backend(); + $mdl = new ProxySSO(); + $cnf = Config::getInstance()->toArray(); + $hostname = 'HTTP/' . $cnf['system']['hostname']; + $domain = $cnf['system']['domain']; + $kerbname = substr(strtoupper($cnf['system']['hostname']), 0, 13) . "-K"; + $winver = (string)$mdl->ADKerberosImplementation == 'W2008' ? '2008' : '2003'; + $username = escapeshellarg($this->request->getPost("admin_login")); + $pass = escapeshellarg($this->request->getPost("admin_password")); + + $response = $backend->configdRun("proxysso createkeytab {$hostname} {$domain} {$kerbname} {$winver} {$username} {$pass}"); + parent::reconfigureAction(); + return array("response" => $response,"status" => "ok"); + } + + return array("response" => array()); + } + + /** + * test Kerberos login + * @return array + */ + public function testkerbloginAction() + { + if ($this->request->isPost()) { + $backend = new Backend(); + $cnf = Config::getInstance()->toArray(); + $fqdn = $cnf['system']['hostname'].'.'.$cnf['system']['domain']; + $username = escapeshellarg($this->request->getPost("login")); + $pass = escapeshellarg($this->request->getPost("password")); + + $response = $backend->configdRun("proxysso testkerblogin {$username} {$pass} {$fqdn}"); + return array("response" => $response,"status" => "ok"); + } + + return array("response" => array()); + } + + /** + * get checklist data + * @return array + */ + public function getCheckListAction() + { + $backend = new Backend(); + $cnf = Config::getInstance()->object(); + $hostname = $cnf->system->hostname .'.'.$cnf->system->domain; + + // LDAP + $methods = explode(',', $cnf->OPNsense->proxy->forward->authentication->method); + foreach($methods as $method) { + $xpath = $cnf->xpath("//system/authserver[name=\"$method\" and type=\"ldap\"]"); + if(count($xpath)) { + $ldap_server = $xpath[0]; + break; + } + } + $ldap_ip = null; + $ldap_fqdn = null; + $ldap_server_ping = [ "status" => "failure"]; + if(isset($ldap_server) && !empty($ldap_server->host)) { + if(filter_var($ldap_server->host, FILTER_VALIDATE_IP)) { + $ldap_ip = $ldap_server->host; + } + else { + $ldap_fqdn = $ldap_server->host; + } + + $host_esc = escapeshellarg("{$ldap_server->host}"); + $output = array("# ping -c 1 -W 1 {$host_esc}"); + $retval = 0; + exec("ping -c 1 -W 1 {$host_esc}", $output, $retval); + $ldap_server_ping = [ "status" => $retval == 0 ? "ok" : "failure"]; + $ldap_server_ping["dump"] = implode("\n", $output); + } + + // DNS + $dns_server = array(); + $nameservers = preg_grep('/^nameserver/', file('/etc/resolv.conf')); + $dns_servers = array(); + foreach($nameservers as $key => $record) { + $parts = explode(' ', $record); + $dns_servers[] = trim($parts[1]); + } + $dns_server = [ "status" => count($dns_servers) ? "ok" : "failure"]; + if(!count($dns_servers)) { + $dns_server["message"] = gettext("DNS server not found"); + } + $output = "# cat /etc/resolv.conf\n"; + $output .= file_get_contents('/etc/resolv.conf'); + $dns_server["dump"] = $output; + + // DNS: hostname + $resolv_direct = chop(shell_exec("drill {$hostname} | grep -A 1 'ANSWER SECTION' | tail -n 1 | awk '{print \$5}'")); + $dns_hostname_resolution = [ "status" => !empty($resolv_direct) && filter_var($resolv_direct, FILTER_VALIDATE_IP) ? "ok" : "failure"]; + $output = array("# drill {$hostname}"); + exec("drill {$hostname}", $output); + $dns_hostname_resolution["dump"] = implode("\n", $output); + + $resolv_reverse = null; + $dns_hostname_reverse_resolution = array(); + $output = array(); + if(!empty($resolv_direct) && filter_var($resolv_direct, FILTER_VALIDATE_IP)) { + $output[] = "# drill -x {$resolv_direct}"; + exec("drill -x {$resolv_direct}", $output); + $resolv_reverse = chop(shell_exec("drill -x {$resolv_direct} | grep -A 1 'ANSWER SECTION' | tail -n 1 | awk '{print \$5}'")); + if(strtolower($resolv_reverse) != strtolower("{$hostname}.")) { + $dns_hostname_reverse_resolution["message"] = gettext("Hostname doesn't resolved to host IP."); + } + } + else { + $dns_hostname_reverse_resolution["message"] = gettext("Hostname doesn't resolved to IP."); + } + $dns_hostname_reverse_resolution["status"] = strtolower($resolv_reverse) == strtolower("{$hostname}.") ? "ok" : "failure"; + $dns_hostname_reverse_resolution["dump"] = implode("\n", $output); + + + // DNS: LDAP server + ldap_dns: + $dns_ldap_reverse_resolution = array( "status" => "failure" ); + if(empty($ldap_ip)) { + $dns_ldap_reverse_resolution["message"] = gettext("Unknown LDAP server IP."); + } + else { + $ldap_ip_esc = escapeshellarg($ldap_ip); + $resolv_reverse = chop(shell_exec("drill -x {$ldap_ip_esc} | grep -A 1 'ANSWER SECTION' | tail -n 1 | awk '{print \$5}'")); + if(empty($resolv_reverse)) { + $dns_ldap_reverse_resolution["message"] = gettext('LDAP server IP reverse lookup error. '); + }elseif (!empty($ldap_fqdn) && $resolv_reverse != "{$ldap_fqdn}.") { + $dns_ldap_reverse_resolution["message"] = gettext('LDAP server reverse DNS lookup is not equal to LDAP server FQDN. '); + } + else { + $dns_ldap_reverse_resolution["status"] = "ok"; + $ldap_fqdn = substr($resolv_reverse, 0, strlen($resolv_reverse) - 1); + } + $output = array("# drill -x {$ldap_ip_esc}"); + exec("drill -x {$ldap_ip_esc}", $output); + $dns_ldap_reverse_resolution["dump"] = implode("\n", $output); + } + + $dns_ldap_resolution = array( "status" => "failure" ); + if(empty($ldap_fqdn)) { + $dns_ldap_resolution["message"] = gettext('Unknown LDAP server FQDN.'); + } + else { + $ldap_fqdn_esc = escapeshellarg($ldap_fqdn); + $resolv = chop(shell_exec("drill {$ldap_fqdn_esc} | grep -A 1 'ANSWER SECTION' | tail -n 1 | awk '{print \$5}'")); + if(empty($resolv)) { + $dns_ldap_resolution["message"] = gettext('LDAP server DNS lookup error. '); + } + elseif (!empty($ldap_ip) && $resolv != $ldap_ip) { + $dns_ldap_resolution["message"] = gettext('LDAP server DNS lookup is not equal to LDAP IP. '); + } + else { + $dns_ldap_resolution["status"] = "ok"; + if(empty($ldap_ip)) { + $ldap_ip = $resolv; + goto ldap_dns; + } + } + $output = array("# drill {$ldap_fqdn_esc}"); + exec("drill {$ldap_fqdn_esc}", $output); + $dns_ldap_resolution["dump"] = implode("\n", $output); + } + + + // KERBEROS + $krb5_conf = '/etc/krb5.conf'; + $kerberos_config = array(); + $kerberos_config["status"] = "failure"; + if(!file_exists($krb5_conf)) { + $kerberos_config["message"] = sprintf(gettext('File %s does not exists.'), $krb5_conf); + } + else{ + $domainstr = preg_quote($cnf->system->domain); + $config_valid = preg_grep("/$domainstr/", file($krb5_conf)); + $kerberos_config["status"] = file_exists($krb5_conf) && !empty($config_valid) ? "ok" : "failure"; + if (empty($config_valid)) { + $kerberos_config["message"] = gettext('SSO is not enabled or kerberos configuration file has invalid content'); + } + $output = "# cat $krb5_conf\n"; + $output .= file_get_contents($krb5_conf); + $kerberos_config["dump"] = $output; + } + + $keytab_file = '/usr/local/etc/squid/squid.keytab'; + $keytab = array(); + $keytab["status"] = file_exists($keytab_file) ? "ok" : "failure"; + if(!file_exists($keytab_file)) { + $keytab["message"] = sprintf(gettext('File %s does not exists.'), $keytab_file); + } + $keytab["dump"] = $backend->configdRun("proxysso showkeytab"); + + + // and two more DNS check + if(!empty($ldap_ip) && !in_array($ldap_ip, $dns_servers)) { + $dns_server["status"] = "failure"; + $dns_server["message"] = gettext("LDAP server is not in DNS servers list."); + } + elseif(in_array("127.0.0.1", $dns_servers) || in_array("::1", $dns_servers)) { + $dns_server["status"] = "failure"; + $dns_server["message"] = gettext("Do not set localhost as DNS server."); + } + + + return [ + "hostname" => $hostname, + "ldap_server_config" => isset($ldap_server) ? $ldap_server->name->__toString() : array("status" => "failure", "message" => gettext("LDAP server is not set in Web Proxy - Authentication Settings")), + "ldap_server" => isset($ldap_server) ? $ldap_server->host->__toString() : "", + "ldap_server_ping" => $ldap_server_ping, + "dns_server" => $dns_server, + "dns_hostname_resolution" => $dns_hostname_resolution, + "dns_hostname_reverse_resolution" => $dns_hostname_reverse_resolution, + "dns_ldap_resolution" => $dns_ldap_resolution, + "dns_ldap_reverse_resolution" => $dns_ldap_reverse_resolution, + "kerberos_config" => $kerberos_config, + "keytab" => $keytab, + ]; + } +} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/SettingsController.php similarity index 74% rename from www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.php rename to www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/SettingsController.php index 9e267c1b5..6dca042ba 100644 --- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.php +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/SettingsController.php @@ -1,7 +1,8 @@ + * Copyright (C) 2017 Smart-Soft + * * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -24,12 +25,20 @@ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. + * */ -namespace OPNsense\SSOProxyAD; +namespace OPNsense\ProxySSO\Api; -use OPNsense\Base\BaseModel; +use \OPNsense\Base\ApiMutableModelControllerBase; +use \OPNsense\Core\Config; -class SSOProxyAD extends BaseModel +/** + * Class SettingsController Handles settings related API actions for the ProxySSO + * @package OPNsense\ProxySSO + */ +class SettingsController extends ApiMutableModelControllerBase { + static protected $internalModelName = "ProxySSO"; + static protected $internalModelClass = "\OPNsense\ProxySSO\ProxySSO"; } diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/IndexController.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/IndexController.php new file mode 100644 index 000000000..49548860c --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/IndexController.php @@ -0,0 +1,16 @@ +view->title = gettext("Web Proxy Single Sign-On"); + $this->view->pick('OPNsense/ProxySSO/index'); + $this->view->generalForm = $this->getForm("general"); + $this->view->testingCreateForm = $this->getForm("testing_create"); + $this->view->testingTestForm = $this->getForm("testing_test"); + $this->view->checkListForm = $this->getForm("checklist"); + } +} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/checklist.xml b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/checklist.xml new file mode 100644 index 000000000..44b3cb251 --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/checklist.xml @@ -0,0 +1,69 @@ +
+ + + header + + + hostname + + info + + + ldap_server_config + + info + + + ldap_server + + info + + + ldap_server_ping + + info + LDAP server ping check. + + + dns_server + + info + DNS server address from resolver configuration. DNS settings]]>. + + + dns_hostname_resolution + + info + DNS IP resolution for hostname. + + + dns_hostname_reverse_resolution + + info + Reverse DNS resolution for host IP. + + + dns_ldap_resolution + + info + DNS IP resolution for LDAP server name. + + + dns_ldap_reverse_resolution + + info + Reverse DNS resolution for LDAP server IP. + + + kerberos_config + + info + Kerberos configuration must exist and be valid. + + + keytab + + info + Keytab file must exist and be valid. + +
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/general.xml b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/general.xml new file mode 100644 index 000000000..9eeb7c6dd --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/general.xml @@ -0,0 +1,14 @@ +
+ + ProxySSO.EnableSSO + + checkbox + Enable Kerberos based Single Sign-On + + + ProxySSO.ADKerberosImplementation + + dropdown + Select Windows Server version for AD controller + +
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_create.xml b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_create.xml new file mode 100644 index 000000000..71d4f12e7 --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_create.xml @@ -0,0 +1,18 @@ +
+ + + header + + + admin_username + + text + Active Directory user name with administrator rights (this value is not stored in configuration). + + + admin_password + + password + Active Directory user password (this value is not stored in configuration). + +
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_test.xml b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_test.xml new file mode 100644 index 000000000..243baef5b --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/forms/testing_test.xml @@ -0,0 +1,12 @@ +
+ + username + + text + + + password + + password + +
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/ServiceController.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/ServiceController.php deleted file mode 100644 index 71c8d54e1..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/ServiceController.php +++ /dev/null @@ -1,105 +0,0 @@ - - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -namespace OPNsense\SSOProxyAD\Api; - -use \OPNsense\Base\ApiControllerBase; -use \OPNsense\SSOProxyAD\SSOProxyAD; -use \OPNsense\Core\Backend; -use \OPNsense\Cron\Cron; - -class ServiceController extends ApiControllerBase -{ - - public function reloadAction() - { - $status = "failed"; - if ($this->request->isPost()) { - $mdlSSOProxyAD = new SSOProxyAD(); - if ((string)$mdlSSOProxyAD->general->UpdateCron == "") { - $mdlCron = new Cron(); - $mdlSSOProxyAD->general->UpdateCron = $mdlCron->newDailyJob( - "SSOProyAD", - "ssoproxyad updateDomain", - "SSOProxyAD updateDomain cron", - "1" - ); - if ($mdlCron->performValidation()->count() == 0) { - $mdlCron->serializeToConfig(); - $mdlMymodule->serializeToConfig($validateFullModel = false, $disable_validation = true); - Config::getInstance()->save(); - } - } - $backend = new Backend(); - $bckresult = trim($backend->configdRun('template reload OPNsense/SSOProxyAD')); - if ($bckresult == "OK") { - $status = "ok"; - } - } - return array("status" => $status); - } - - public function testAction() - { - if ($this->request->isPost()) { - $backend = new Backend(); - $bckresult = json_decode(trim($backend->configdRun("ssoproxyad test")), true); - if ($bckresult !== null) { - // only return valid json type responses - return $bckresult; - } - } - return array("message" => "unable to run config action"); - } - - public function joinDomainAction() - { - if ($this->request->isPost()) { - $backend = new Backend(); - $bckresult = json_decode(trim($backend->configdRun("ssoproxyad joinDomain")), true); - if ($bckresult !== null) { - // only return valid json type responses - return $bckresult; - } - } - return array("message" => "unable to run config action"); - } - - public function updateDomainAction() - { - if ($this->request->isPost()) { - $backend = new Backend(); - $bckresult = json_decode(trim($backend->configdRun("ssoproxyad updateDomain")), true); - if ($bckresult !== null) { - // only return valid json type responses - return $bckresult; - } - } - return array("message" => "unable to run config action"); - } -} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/SettingsController.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/SettingsController.php deleted file mode 100644 index 3fe173b31..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/SettingsController.php +++ /dev/null @@ -1,52 +0,0 @@ - - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -namespace OPNsense\SSOProxyAD\Api; - -use \OPNsense\Base\ApiMutableModelControllerBase; -use \OPNsense\Core\Config; - -class SettingsController extends ApiMutableModelControllerBase -{ - static protected $internalModelClass = '\OPNsense\SSOProxyAD\SSOProxyAD'; - static protected $internalModelName = 'ssoproxyad'; - - /** - * @return array plain model settings (non repeating items) - */ - protected function getModelNodes() - { - $settingsNodes = array('general'); - $result = array(); - $mdlSSO = $this->getModel(); - foreach ($settingsNodes as $key) { - $result[$key] = $mdlSSO->$key->getNodes(); - } - return $result; - } -} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/IndexController.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/IndexController.php deleted file mode 100644 index 496949864..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/IndexController.php +++ /dev/null @@ -1,39 +0,0 @@ - - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -namespace OPNsense\SSOProxyAD; - -class IndexController extends \OPNsense\Base\IndexController -{ - public function indexAction() - { - $this->view->title = gettext('SSO Proxy Active Directory'); - $this->view->pick('OPNsense/SSOProxyAD/index'); - $this->view->generalForm = $this->getForm("general"); - } -} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/forms/general.xml b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/forms/general.xml deleted file mode 100644 index a1da68983..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/forms/general.xml +++ /dev/null @@ -1,33 +0,0 @@ -
- - ssoproxyad.general.Enabled - - checkbox - Enable this feature - - - ssoproxyad.general.DomainName - - text - - - ssoproxyad.general.DomainDC - - text - - - ssoproxyad.general.DomainVersion - - text - - - ssoproxyad.general.DomainUser - - text - - - ssoproxyad.general.DomainPassword - - password - -
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/library/OPNsense/Auth/SSOProxyAD.php b/www/web-proxy-sso/src/opnsense/mvc/app/library/OPNsense/Auth/SSOProxyAD.php deleted file mode 100644 index b1e79db00..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/library/OPNsense/Auth/SSOProxyAD.php +++ /dev/null @@ -1,73 +0,0 @@ - - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -namespace OPNsense\Auth; - -use OPNsense\Core\Config; - -/** - * Class SSOProxyAD connector - * @package OPNsense\Auth - */ -class SSOProxyAD implements IAuthConnector -{ - public static function getType() - { - return 'ssoproxyad'; - } - - /** - * user friendly description of this authenticator - * @return string - */ - public function getDescription() - { - return gettext("SSO Proxy AD"); - } - /** - * set connector properties - * @param array $config connection properties - */ - public function setProperties($config) - { - } - - /** - * unused - * @return array mixed named list of authentication properties - */ - public function getLastAuthProperties() - { - return array(); - } - - public function authenticate($username, $password) - { - return false; - } -} diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml new file mode 100644 index 000000000..f2294e670 --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.php b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.php new file mode 100644 index 000000000..76d8d1586 --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.php @@ -0,0 +1,9 @@ + +//OPNsense/ProxySSO + + Web-proxy Single Sign-On plugin + + + + 0 + Y + + + W2008 + Y + + Windows 2003 + Windows 2008 with AES + + + + diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/ACL/ACL.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/ACL/ACL.xml deleted file mode 100644 index 1e1778625..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/ACL/ACL.xml +++ /dev/null @@ -1,9 +0,0 @@ - - - Services: Web Proxy: SSO - - ui/ssoproxyad/* - api/ssoproxyad/* - - - diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/Menu/Menu.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/Menu/Menu.xml deleted file mode 100644 index 93811ad68..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/Menu/Menu.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - - diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.xml deleted file mode 100644 index 09c6e4d84..000000000 --- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.xml +++ /dev/null @@ -1,43 +0,0 @@ - - //OPNsense/ssoproxyad - - SSO Active Directory plugin - - - - - 1 - Y - - - Y - - - Y - - - Y - - - Y - - - Y - - - - - OPNsense.Cron.Cron - jobs.job - description - - /SSOProxyAD/ - - - - Related cron not found. - N - - - - diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/ProxySSO/index.volt b/www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/ProxySSO/index.volt new file mode 100644 index 000000000..62f3951d9 --- /dev/null +++ b/www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/ProxySSO/index.volt @@ -0,0 +1,170 @@ + + + + + + +
+ +
+ {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}} + +
+ +
+ +
+ + {{ partial("layout_partials/base_form",['fields':checkListForm,'id':'frm_CheckList'])}} +
+ + +
+ {{ partial("layout_partials/base_form",['fields':testingCreateForm,'id':'frm_TestingCreate'])}} + + + +
+ + {{ partial("layout_partials/base_form",['fields':testingTestForm,'id':'frm_TestingTest'])}} + + +
+

{{ lang._('Output') }}

+ 

+    

+

diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/SSOProxyAD/index.volt b/www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/SSOProxyAD/index.volt
deleted file mode 100644
index bb18aed1f..000000000
--- a/www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/SSOProxyAD/index.volt
+++ /dev/null
@@ -1,82 +0,0 @@
-{#
-Copyright (C) 2016 
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-notice, this list of conditions and the following disclaimer in the
-documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-#}
-
-{{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
-
-
-
-

-    
-

-
-
-
-
-
-
diff --git a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/kerberos_test.sh b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/kerberos_test.sh
new file mode 100755
index 000000000..220ac7178
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/kerberos_test.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+PASS_TMP=/tmp/__tmp_kerb_pass
+
+while getopts :f:u:p: name
+do
+    case $name in
+    f) FQDN="$OPTARG" ;;		# aka TING.tingnet.local
+    u) USERNAME="$OPTARG" ;;		# username
+    p) PASSWORD="$OPTARG" ;;		# password
+    esac
+done
+
+[ "$USERNAME" == "" ] && echo "No account name" && exit 0;
+[ "$PASSWORD" == "" ] && echo "No account password" && exit 0;
+[ "$FQDN" == "" ] && echo "No FQDN" && exit 0;
+
+PASSWORD="${PASSWORD%\'}"
+echo "${PASSWORD}" | sed 's/\\//g' > ${PASS_TMP}
+
+/usr/local/bin/kinit ${USERNAME} < ${PASS_TMP}
+TICKET=$?
+rm ${PASS_TMP}
+
+/usr/local/libexec/squid/negotiate_kerberos_auth_test ${FQDN} | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
+
+/usr/local/bin/kdestroy
diff --git a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/squid-gen-keytab.sh b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/squid-gen-keytab.sh
new file mode 100755
index 000000000..ec7eda7ec
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/ProxySSO/squid-gen-keytab.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+KEYTAB=/usr/local/etc/squid/squid.keytab
+PASS_TMP=/tmp/__tmp_kerb_pass
+
+while getopts :d:n:k:e:b:u:p: name
+do
+    case $name in
+        d) DOMAIN="$OPTARG" ;;              # aka opnsense.local
+        n) PRINCIPAL="$OPTARG" ;;           # aka HTTP/OPNSENSE
+        k) KERB_COMPUTER_NAME="$OPTARG" ;;  # aka OPNSENSE-K
+        e) ENCTYPES="$OPTARG" ;;
+        b) BASENAME="$OPTARG" ;;
+        u) USERNAME="$OPTARG" ;;            # LDAP admin username
+        p) PASSWORD="$OPTARG" ;;            # LDAP admin password
+    esac
+done
+
+[ "$USERNAME" == "" ] && echo "No administrator account name" && exit 0;
+[ "$PASSWORD" == "" ] && echo "No administrator account password" && exit 0;
+[ "$BASENAME" == "" ] && BASENAME="CN=Computers";
+[ "$PRINCIPAL" == "" ] && echo "No principal name" && exit 0;
+[ "$DOMAIN" == "" ] && echo "No domain name" && exit 0;
+[ "$KERB_COMPUTER_NAME" == "" ] && echo "No Kerberos name for host" && exit 0;
+[ "$ENCTYPES" == "2008" ] && ENCTYPES_PARAM="--enctypes 28";
+
+
+PASSWORD="${PASSWORD%\'}"
+echo "${PASSWORD}" | sed 's/\\//g' > ${PASS_TMP}
+
+#/usr/local/bin/kinit --password-file=${PASS_TMP} ${USERNAME}
+/usr/local/bin/kinit ${USERNAME} < ${PASS_TMP}
+TICKET=$?
+rm ${PASS_TMP}
+[ $TICKET != 0 ] && echo "No ticket" && exit 0;
+
+/usr/local/sbin/msktutil -c --verbose -b "${BASENAME}"  -s ${PRINCIPAL}.${DOMAIN} -k ${KEYTAB} --computer-name ${KERB_COMPUTER_NAME} --upn ${PRINCIPAL}.${DOMAIN} ${ENCTYPES_PARAM} 2>&1
+
+chmod +r ${KEYTAB}
+
+/usr/local/bin/kdestroy
diff --git a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php
deleted file mode 100755
index 43e8c6f58..000000000
--- a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/usr/local/bin/php
-
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-// Use legacy code to export certificates to the filesystem.
-require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
-
-use OPNsense\Core\Config;
-
-global $config;
-
-$configObj = Config::getInstance()->object();
-$hostname = $configObj->system->hostname;
-$fqdn = $hostname . "." . $configObj->system->domain;
-if (isset($configObj->OPNsense->ssoproxyad)) {
-    foreach ($configObj->OPNsense->ssoproxyad->general as $ssoproxyad) {
-        $enabled = $ssoproxyad->Enabled;
-        $domainname = $ssoproxyad->DomainName;
-        $domaindc = $ssoproxyad->DomainDC;
-        $domainversion = $ssoproxyad->DomainVersion;
-        $domainuser = $ssoproxyad->DomainUser;
-        $domainpassword = $ssoproxyad->DomainPassword;
-    }
-}
-
-$keytab = '/usr/local/etc/ssoproxyad/PROXY.keytab';
-$cmd_2003 = '/usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k ' . $keytab . ' --computer-name ' . strtoupper($hostname) . ' --upn HTTP/' . $fqdn. ' --server ' . $domaindc . ' 2>&1';
-$cmd_2008 = '/usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k ' . $keytab . ' --computer-name ' . strtoupper($hostname) . ' --upn HTTP/' . $fqdn. ' --server ' . $domaindc . ' --enctypes 28 2>&1';
-
-if ($enabled == 1) {
-    $krb5secret = '/usr/local/etc/ssoproxyad/krb5secret';
-    if (!file_exists($keytab)) {
-        file_put_contents($krb5secret, $domainpassword);
-        chmod($krb5secret, 0600);
-        exec('/usr/local/bin/kinit --password-file="' . $krb5secret . '" ' . $domainuser. "@" . strtoupper($domainname) . " 2>&1", $output_kinit, $error_kinit);
-        if ($error_kinit > 0) {
-            $out = implode($output_kinit);
-            $return = array('message' => "$out");
-        } else {
-            if ($domainversion == '2003') {
-                exec($cmd_2003, $output_msktutil, $error_msktutil);
-            } elseif ($domainversion == '2008') {
-                exec($cmd_2008, $output_msktutil, $error_msktutil);
-            }
-            if ((file_exists($keytab)) and ($error_msktutil <= 0)) {
-                chown($keytab, 'squid');
-                chgrp($keytab, 'squid');
-                exec("/usr/local/bin/kdestroy 2>&1", $output_kdestroy, $error_kdestroy);
-                $return = array('message' => "keytab created");
-            } else {
-                $out = implode($output_msktutil);
-                $return = array('message' => "Unable to create keytab: $out");
-            }
-        }
-    } else {
-        $return = array('message' => "keytab already exists");
-    }
-}
-if (file_exists($krb5secret)) {
-    unlink($krb5secret);
-}
-
-echo json_encode($return);
diff --git a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py
deleted file mode 100755
index 3b01b8cb2..000000000
--- a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/local/bin/python2.7
-
-"""
-    Copyright (c) 2016 
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-"""
-
-import os
-import socket
-import json
-
-ssoproxyad_config = '/usr/local/etc/ssoproxyad/krb5.conf'
-
-result = {}
-if os.path.exists(ssoproxyad_config):
-    result['message'] = 'test ok!'
-else:
-    # no config
-    result['message'] = 'no configuration file found'
-
-print (json.dumps(result))
diff --git a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php b/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php
deleted file mode 100755
index 8e900ffac..000000000
--- a/www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/usr/local/bin/php
-
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-// Use legacy code to export certificates to the filesystem.
-require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
-require_once("util.inc");
-
-use OPNsense\Core\Config;
-
-global $config;
-
-$configObj = Config::getInstance()->object();
-$hostname = $configObj->system->hostname;
-$fqdn = $hostname . "." . $configObj->system->domain;
-if (isset($configObj->OPNsense->ssoproxyad)) {
-    foreach ($configObj->OPNsense->ssoproxyad->general as $ssoproxyad) {
-        $enabled = $ssoproxyad->Enabled;
-    }
-}
-
-if ($enabled == 1) {
-    $keytab = '/usr/local/etc/ssoproxyad/PROXY.keytab';
-    if (file_exists($keytab)) {
-        $cmd = exec_safe('/usr/local/sbin/msktutil %s %s %s %s %s 2>&1', array(
-            '--auto-update',
-            '--computer-name',
-            strtolower($hostname),
-            '--keytab',
-            $keytab
-        ));
-        exec($cmd, $output_msktutil, $error_msktutil);
-        $out = implode($output_msktutil);
-        if ($error_msktutil > 0) {
-            $return = array('message' => "Unable to auto-update: $out)");
-        } else {
-            $return = array('message' => "Auto-update successful: $out");
-        }
-    } else {
-        $return = array('message' => "keytab do not exists");
-    }
-}
-
-echo json_encode($return);
diff --git a/www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_proxysso.conf b/www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_proxysso.conf
new file mode 100644
index 000000000..457b860c5
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_proxysso.conf
@@ -0,0 +1,23 @@
+[showkeytab]
+command:( [ ! -f /usr/local/etc/squid/squid.keytab ] && echo "No keytab /usr/local/etc/squid/squid.keytab") || /usr/local/bin/klist -k /usr/local/etc/squid/squid.keytab
+parameters:
+type:script_output
+message:show kerberos keytab
+
+[createkeytab]
+command:/usr/local/opnsense/scripts/OPNsense/ProxySSO/squid-gen-keytab.sh
+parameters:-n %s -d %s -k %s -e %s -u %s -p %s
+type:script_output
+message:create keytab
+
+[deletekeytab]
+command:( [ ! -f /usr/local/etc/squid/squid.keytab ] && echo "No keytab file" ) || rm /usr/local/etc/squid/squid.keytab
+parameters:
+type:script_output
+message:delete keytab
+
+[testkerblogin]
+command:/usr/local/opnsense/scripts/OPNsense/ProxySSO/kerberos_test.sh
+parameters:-u %s -p %s -f %s
+type:script_output
+message:test kerberos login
diff --git a/www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_ssoproxyad.conf b/www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_ssoproxyad.conf
deleted file mode 100644
index f95873260..000000000
--- a/www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_ssoproxyad.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-[test]
-command:/usr/local/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py
-parameters:
-type:script_output
-message:SSO Proxy AD module test
-
-[joinDomain]
-command:/usr/local/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php
-parameters:
-type:script_output
-message:SSO Proxy AD module join AD domain
-
-[updateDomain]
-command:/usr/local/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php
-parameters:
-type:script_output
-message:SSO Proxy AD module update AD domain
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/Proxy/squid.user.alt_auth.conf b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/Proxy/squid.user.alt_auth.conf
deleted file mode 100644
index ac5a816ed..000000000
--- a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/Proxy/squid.user.alt_auth.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-{% if helpers.exists('OPNsense.proxy.forward.authentication.method') %}
-{%   if helpers.exists('system.authserver') %}
-{%     for server in helpers.toList('system.authserver') %}
-{%       if server.name == OPNsense.proxy.forward.authentication.method %}
-{%         if server.type == "ssoproxyad" %}
-auth_param negotiate program "/usr/local/libexec/squid/negotiate_kerberos_auth"
-auth_param negotiate children 10
-auth_param negotiate keep_alive on
-acl local_auth proxy_auth REQUIRED
-{%         endif %}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
-{% endif %}
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/+TARGETS b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/+TARGETS
new file mode 100644
index 000000000..78bbfdf31
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/+TARGETS
@@ -0,0 +1,3 @@
+rc.conf.d:/etc/rc.conf.d/squid_krb5
+krb5.conf:/etc/krb5.conf
+kerberos.sso.conf:/usr/local/etc/squid/pre-auth/20-negotiate.auth.conf
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/kerberos.sso.conf b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/kerberos.sso.conf
new file mode 100644
index 000000000..433a246fd
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/kerberos.sso.conf
@@ -0,0 +1,20 @@
+
+{% set ldap_method = [] %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
+{%      for method in OPNsense.proxy.forward.authentication.method.split(",") %}
+{%          if method != "Local Database" %}
+{%              for server in helpers.toList('system.authserver') %}
+{%                  if server.type == 'ldap' and server.name == method %}
+{%                      do ldap_method.append(server) %}
+{%                  endif %}
+{%              endfor %}
+{%          endif %}
+{%      endfor %}
+{%      if ldap_method|length > 0 and helpers.exists('OPNsense.ProxySSO.EnableSSO') and OPNsense.ProxySSO.EnableSSO == '1' %}
+auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -i -s HTTP/{{system.hostname}}.{{system.domain}}@{{system.domain|upper}}
+auth_param negotiate keep_alive on
+{%          if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
+auth_param negotiate children {{OPNsense.proxy.forward.authentication.children}}
+{%          endif %}
+{%      endif%}
+{% endif %}
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/krb5.conf b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/krb5.conf
new file mode 100644
index 000000000..ed10b8104
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/krb5.conf
@@ -0,0 +1,38 @@
+# Autogenerated config. Do not edit manualy.
+
+{% set ldap = [] %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') %}
+{%      for method in OPNsense.proxy.forward.authentication.method.split(",") %}
+{%          for server in helpers.toList('system.authserver') %}
+{%              if server.type == 'ldap' and server.name == method %}
+{%                      do ldap.append(server) %}
+{%              endif %}
+{%          endfor %}
+{%      endfor %}
+{% endif %}
+{% if ldap|length > 0 and helpers.exists('OPNsense.ProxySSO.EnableSSO') and OPNsense.ProxySSO.EnableSSO|default('0') == '1' %}
+[libdefaults]
+        default_realm = {{ system.domain|upper }}
+        dns_lookup_kdc = no
+        dns_lookup_realm = no
+        ticket_lifetime = 24h
+        default_keytab_name = /usr/local/etc/squid/squid.keytab
+{% if helpers.exists('OPNsense.ProxySSO.ADKerberosImplementation') and OPNsense.ProxySSO.ADKerberosImplementation == 'W2003' %}
+	default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
+	default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
+	permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
+{% else %}
+        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
+        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
+        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
+{% endif %}
+[realms]
+        {{ system.domain|upper }} = {
+                kdc = {{ ldap[0].host }}
+                admin_server = {{ ldap[0].host }}
+                default_domain = {{ system.domain }}
+        }
+[domain_realm]
+        .{{ system.domain }} = {{ system.domain|upper }}
+        {{ system.domain }} = {{ system.domain|upper }}
+{% endif %}
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/rc.conf.d b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/rc.conf.d
new file mode 100644
index 000000000..f56f2a7b5
--- /dev/null
+++ b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/ProxySSO/rc.conf.d
@@ -0,0 +1,3 @@
+{% if helpers.exists('OPNsense.ProxySSO.EnableSSO') and OPNsense.ProxySSO.EnableSSO|default("0") == "1" %}
+squid_krb5_ktname="/usr/local/etc/squid/squid.keytab"
+{% endif %}
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/+TARGETS b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/+TARGETS
deleted file mode 100644
index 30b684c47..000000000
--- a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/+TARGETS
+++ /dev/null
@@ -1,2 +0,0 @@
-krb5.conf:/usr/local/etc/ssoproxyad/krb5.conf
-rc.conf:/etc/rc.conf.d/squid/ssoproxyad
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/krb5.conf b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/krb5.conf
deleted file mode 100644
index 900f6d92b..000000000
--- a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/krb5.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-{% if helpers.exists('OPNsense.ssoproxyad.general') and OPNsense.ssoproxyad.general.Enabled|default("0") == "1" %}
-[libdefaults]
-    default_realm = {{ OPNsense.ssoproxyad.general.DomainName|upper }}
-    dns_lookup_kdc = no
-    dns_lookup_realm = no
-    ticket_lifetime = 24h
-    default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab
-
-{% if helpers.exists('OPNsense.ssoproxyad.general.DomainVersion') and OPNsense.ssoproxyad.general.DomainVersion  == '2003' %}
-    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
-    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
-    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
-{% endif %}
-{% if helpers.exists('OPNsense.ssoproxyad.general.DomainVersion') and OPNsense.ssoproxyad.general.DomainVersion  == '2008' %}
-; for Windows 2008 with AES
-    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-{% endif %}
-
-[realms]
-    {{ OPNsense.ssoproxyad.general.DomainName|upper }} = {
-        kdc = {{ OPNsense.ssoproxyad.general.DomainDC|lower }}.{{ OPNsense.ssoproxyad.general.DomainName|lower }}
-        admin_server = {{ OPNsense.ssoproxyad.general.DomainDC|lower }}.{{ OPNsense.ssoproxyad.general.DomainName|lower }}
-        default_domain = {{ OPNsense.ssoproxyad.general.DomainName|lower }}
-    }
-
-[domain_realm]
-    .{{ OPNsense.ssoproxyad.general.DomainName|lower }} = {{ OPNsense.ssoproxyad.general.DomainName|upper }}
-    {{ OPNsense.ssoproxyad.general.DomainName|lower }} = {{ OPNsense.ssoproxyad.general.DomainName|upper }}
-
-
-{% endif %}
diff --git a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/rc.conf b/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/rc.conf
deleted file mode 100644
index 9a6da4e5b..000000000
--- a/www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/rc.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-{% if helpers.exists('system.authserver') %}
-{%   for server in helpers.toList('system.authserver') %}
-{%     if helpers.exists('OPNsense.proxy.forward.authentication.method') %}
-{%       if server.name == OPNsense.proxy.forward.authentication.method %}
-{%         if server.type == "ssoproxyad" %}
-squid_krb5_ktname="/usr/local/etc/ssoproxyad/PROXY.keytab"
-{%         endif %}
-{%       endif %}
-{%     endif %}
-{%   endfor %}
-{% endif %}