Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up Kerberos in v18?

Is there any additional configuration needed to enable Kerberos authentication in v18?  I got a failure message on upgrade startup in the log viewer: Cannot initialize Kerberos authentication with domain." but have not been able to figure out how to troubleshoot it further.  Documentation doesn't seem to mention anything.  Thanks in advance.



This thread was automatically locked due to age.
  • Bill,

    Which steps did you perform?

  • Actually Kerberos will perfom a Auto Join if "everything is setup correctly". 

    You need to: 

    Have a Request Route from XG to your AD.

    AD Server setup properly.

    AD SSO enabled in the Zone of Client.

    XG Hostname needs to be resolvable on your AD (example: Hostname "XG". Domain "test.com". XG.test.com needs to point to the XG.) 

     

    Here is a Thread in EAP Forum: https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/118421/ntlm-kerberos-authentication

    __________________________________________________________________________________________________________________

  • Hi LuCar, thanks for that.

    So I verifed that XG "joined" the AD automatically, and if I do a SetSPN query I see the two entries as Michael Dunn stated should be there.  XG hostname is resolvable in points to the XG.  AD SSO is enabled on the zone.  NTLM is successful.  Still, XG log viewer reports an error with Kerberos.  Unfortunately it doesn't provide anything in the way of useful information (maybe in version 26 the log viewer will be useful).  

  • Could you show us the Screenshot of the Log viewer? Plus please the advanced View in Logviewer. 

    __________________________________________________________________________________________________________________

  • Bill Roland said:
    Hi LuCar, thanks for that.

    Still, XG log viewer reports an error with Kerberos.  Unfortunately it doesn't provide anything in the way of useful information (maybe in version 26 the log viewer will be useful).  

    I agree with Bill. The other day I was getting mad to find why XG was blocking traffic and even the advanced shell did not help.

    Logging needs to be improved a lot.

    Bill do you see any logs from advanced shell?

    Tail - f /log/*.log

  • Maybe  can help here? 

    __________________________________________________________________________________________________________________

  • Bill,

    do you find some useful log inside /log/access_server.log ?

    If not, try to put the access_server service in debug mode, perform the authentication attempt while tail -f /log/access_server.log is going...

    Let us know.

    Michael Dunn is the best person to help for this issue.

  • We got very little feedback about AD SSO in the v18 EAP, which we hope means that there are few problems with it. :)

    I have not seen that particular error before.
    It is curious that you get an error but the SPN are created.

    Did you get any other authentication configuration messages?
    Is it repeatedly putting the error in the log or just once?
    Do clients attempt to do AD SSO? They might skip AD SSO and go to Captive Portal if the system thinks it is not correctly configured.
    What is logged in Log Viewer when clients try to authenticate?

    The relevant log file for AD SSO (NTLM and Kerberos) is /log/nasm.log and not /log/access_server.log.

    If you want I can look at your box yourself to see if I can determine the cause. We need access to your box using a support tunnel. This will grant us secure access to WebAdmin and command line. It does not expose your box to the internet.

    Please go to Diagnostics > Support access and turn on. After a moment the page will refresh with an Access ID. You can change how long until the support tunnel is automatically closed, however it is recommended to have open a week or more. You can always disable yourself when the issue is resolved. Please send me the Access ID.

  • Michael Dunn said:

    The relevant log file for AD SSO (NTLM and Kerberos) is /log/nasm.log and not /log/access_server.log.

    Thanks Michael.