SSL Intercept Layer causing Kerberos Authentication to fail.

I need a solution

Hello all,

I’m using a ProxySG 600 (6.7.4.7) configured in explicit mode. This been configured to use LDAP which still works fine. I’m now trying to use IWA > BCAAA > Kerberos. The BCAAA Agent is installed on a domain joined server but not a DC.

Scenario 1:

Browser configured with or without (Automatic logon with current user name and password). Web Authentication Layer is configured to use (Proxy IP/Proxy mode) and configured to use Kerberos. With the (SSL Interception Layer) or the one rule within the layer disabled, everything works fine. I can also confirm this is working from the packet capture from the proxy. I can see the proxy challenging the browser with the (407 challenges) for each timeout or every connection request based on the mode and this confirms kerberos is working. In the logs I can also confirmed all the authentication is kerberos.

Scenario 2:

(Automatic logon with current user name and password) is DISBALED in the browser. Web Authentication Layer is configured to use (Proxy IP/Proxy mode) and configured to use Kerberos. With the (SSL Interception Layer) enabled kerberos authentication failing. In the packet capture from the proxy I can see the proxy challenging the browser for the first “GET”, the browsers sends the token and all is good and this confirms kerberos is working. When the timeout is reached or if I’m using (Proxy mode) the user is then being prompted for authentication credentials and when the user logs in the log show this is now using NTLM.

Scenario 3:

(Automatic logon with current user name and password) is ENABLED in the browser. Web Authentication Layer is configured to use (Proxy IP/Proxy mode) and configured to use Kerberos. With the (SSL Interception Layer) enabled kerberos authentication failing. In the packet capture from the proxy I can see the proxy challenging the browser for the first “GET”, the browsers sends the token and all is good. When the timeout is reached or if I’m using (Proxy mode) the user is no longer being prompted for credentials but this is due to the (Automatic logon with current user name and password) being enabled in the browser. In the packet capture I see the same behavior and in the logs I can see it only use kerberos for the first “GET” and all the others are NTLM.

Scenario 4:

I’ve replicated this setup in a virtual environment using version (6.7.4.1) & (6.7.4.7) and everything works perfectly. In the packet capture and can see all the (407 challenges) from the proxy and in the logs every authentication is kerberos. 

Please assist.

0

Related:

  • No Related Posts

Leave a Reply