SSL Intercept Layer causing Kerberos Authentication to fail.

I need a solution

Hello all,

I’m using a ProxySG 600 (6.7.4.7) configured in explicit mode. This been configured to use LDAP which still works fine. I’m now trying to use IWA > BCAAA > Kerberos. The BCAAA Agent is installed on a domain joined server but not a DC.

Scenario 1:

Browser configured with or without (Automatic logon with current user name and password). Web Authentication Layer is configured to use (Proxy IP/Proxy mode) and configured to use Kerberos. With the (SSL Interception Layer) or the one rule within the layer disabled, everything works fine. I can also confirm this is working from the packet capture from the proxy. I can see the proxy challenging the browser with the (407 challenges) for each timeout or every connection request based on the mode and this confirms kerberos is working. In the logs I can also confirmed all the authentication is kerberos.

Scenario 2:

(Automatic logon with current user name and password) is DISBALED in the browser. Web Authentication Layer is configured to use (Proxy IP/Proxy mode) and configured to use Kerberos. With the (SSL Interception Layer) enabled kerberos authentication failing. In the packet capture from the proxy I can see the proxy challenging the browser for the first “GET”, the browsers sends the token and all is good and this confirms kerberos is working. When the timeout is reached or if I’m using (Proxy mode) the user is then being prompted for authentication credentials and when the user logs in the log show this is now using NTLM.

Scenario 3:

(Automatic logon with current user name and password) is ENABLED in the browser. Web Authentication Layer is configured to use (Proxy IP/Proxy mode) and configured to use Kerberos. With the (SSL Interception Layer) enabled kerberos authentication failing. In the packet capture from the proxy I can see the proxy challenging the browser for the first “GET”, the browsers sends the token and all is good. When the timeout is reached or if I’m using (Proxy mode) the user is no longer being prompted for credentials but this is due to the (Automatic logon with current user name and password) being enabled in the browser. In the packet capture I see the same behavior and in the logs I can see it only use kerberos for the first “GET” and all the others are NTLM.

Scenario 4:

I’ve replicated this setup in a virtual environment using version (6.7.4.1) & (6.7.4.7) and everything works perfectly. In the packet capture and can see all the (407 challenges) from the proxy and in the logs every authentication is kerberos. 

Please assist.

0

Related:

  • No Related Posts

Network Intrusion Report More Information

I need a solution

So we have set up the “Netowrk and Host Exploit Mitigation” report to run daily and give us information and so far it has been useful. However there is some features that seem to be lacking. We can see that there are network intrusion events being detected on machine and we can see their level of severity and all that but we cannot see what kind of actual events are occuring with out going into the users machine and viewing the logs. Is there a way to include this information in the report?

Also when we look at the logs we can see information like “Malicious domain blocked 22” and we can see the offending process is “CHROME.exe” which makes sense and we can get the IP address of the host but it is still not enough information. The alert happens ~40 times a day and after running full scans, power eraser, process explorer, autoruns, procmon, and hijackthis nothing ever comes up as malicious. We have a hard time replicating the issue and we want to understand more information about what is happening and why Symantec is flagging that domain yet there is nothing malicious on the machine. 

The main thing I am looking for is how to add as much information into the network intrusion report as possible and how to generate as much log data as possible through Symantec. If anyone has insights into this or has experienced similar issues some insight into troubleshooting this would be much appricated. 

**Note the domain referenced above is a cloudflare IP address** 

0

Related:

  • No Related Posts

Cisco RV110W, RV130W, and RV215W Routers Unauthenticated syslog File Access Vulnerability

A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to access the syslog file on an affected device.

The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing the URL for the syslog file. A successful exploit could allow the attacker to access the information contained in the file.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-rv-fileaccess

Security Impact Rating: Medium

CVE: CVE-2019-1898

Related:

  • No Related Posts

Cisco RV110W, RV130W, and RV215W Routers Denial of Service Vulnerability

A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to disconnect clients that are connected to the guest network on an affected router.

The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing the URL for device disconnection and providing the connected device information. A successful exploit could allow the attacker to deny service to specific clients that are connected to the guest network.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-rv-dos

Security Impact Rating: Medium

CVE: CVE-2019-1897

Related:

  • No Related Posts