This documentation provides guidance on how to configure Kerberos Single Sign-On in scenarios where customers have load-balanced UTMs that are not in a cluster. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
A DNS name for the load balancer configured properly.
To implement SSO for the load-balancer, we need to configure settings on the AD server and then on the UTM.
Note: Avoid any changes to this account, as this increases its Key Version Number (KVNO) and cause authentication issues.
If the load balancer's FQDN is utm-lb-prod.test.sophos.com, and the AD account username is utm-lb-prod:
setspn -a HTTP/utm-lb-prod.test.sophos.com utm-lb-prod
setspn -a HTTP/utm-lb-prod utm-lb-prod
To verify the setting, use the command below:
setspn -L <username>
cc set auth ad_sso loadbalancer_fqdn utm-lb-prod.test.sophos.com
Note: If web filtering has already been enabled, you may need to restart the service, so that the keytab file used by the web filter module can be updated.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.