Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Is there any additional configuration needed to enable Kerberos authentication in v18? I got a failure message on upgrade startup in the log viewer: Cannot initialize Kerberos authentication with domain." but have not been able to figure out how to troubleshoot it further. Documentation doesn't seem to mention anything. Thanks in advance.
nasm looks at AD configuration and joins the AD domain for Kerberos and sets up a communication channel for NTLM, then sends a message to awarrenhttp and snort (DPI) that AD SSO is available.
awarrenhttp or snort (DPI) determines that a connection should be authenticated with AD SSO and forwards to port 8091
port 8091 is always handled by awarrenhttp, which asks for NTLM/Kerberos credentials
awarrenhttp takes the credentials from and sends them to nasm.
nasm will validate the kerberos ticket or 3-way NTLM messages with the AD server
nasm tells awarrenhttp that the connection is authenticated with a specific user
awarrenhttp tells access_server that a user is authenticated and asks if the user is authorized
access_server says the user is authorized, and now associates that IP with that user
With AD SSO, awarrenhttp is responsible for the communication with the client, nasm is responsible for communication with the AD server, and access_server is responsible for seeing if user has permission to log in and tracking who is logged in.
In this case, if nasm does not think it is configured to AD properly it won't tell the rest of the system that AD SSO is available and the rest won't occur.
Looking at this, it appears that the problem is caused by a missing keytab?
XG135_XN02_SFOS 18.0.0 GA-Build321# grep kerberos /log/nasm.log
Feb 18 13:45:43.359438 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
Feb 18 13:45:43.431084 [nasm] initialize_kerberos(): gss_acquire_cred HOST/SOPHOS-XG135-OB@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
Feb 18 13:45:43.431443 [nasm] setup_channel(): unable to initialize kerberos
Feb 19 16:15:51.059327 [nasm] close_kerberos
Feb 19 16:15:51.059343 [nasm] close_kerberos(): deinitialized kerberos successfully
Feb 19 16:16:04.348699 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
Feb 19 16:16:04.355489 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
Feb 19 16:16:04.355575 [nasm] setup_channel(): unable to initialize kerberos
Feb 20 09:25:31.691544 [nasm] close_kerberos
Feb 20 09:25:31.691561 [nasm] close_kerberos(): deinitialized kerberos successfully
Feb 20 09:25:36.837904 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
Feb 20 09:25:36.844966 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
Feb 20 09:25:36.845049 [nasm] setup_channel(): unable to initialize kerberos
Feb 20 09:26:17.718182 [nasm] close_kerberos
Feb 20 09:26:17.718199 [nasm] close_kerberos(): deinitialized kerberos successfully
Feb 20 09:26:22.494141 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
Feb 20 09:26:22.500884 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
Feb 20 09:26:22.500956 [nasm] setup_channel(): unable to initialize kerberos
Feb 20 12:29:28.630370 [nasm] close_kerberos
Feb 20 12:29:28.630386 [nasm] close_kerberos(): deinitialized kerberos successfully
Feb 20 12:29:33.824849 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
Feb 20 12:29:33.831286 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
Feb 20 12:29:33.831376 [nasm] setup_channel(): unable to initialize kerberos
Hi Bill Roland
This appears to be a bug.
Herewith is a workaround that you can try. Please do let us know if it fixes your issue:
Stop the NASM service: service nasm:stop -ds nosync
Remove file /content/nasm: rm -rf /content/nasm
Start the NASM service: service nasm:start -ds nosync
Thanks!
KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
This worked, thanks!KingChris said:Hi Bill Roland
This appears to be a bug.
Herewith is a workaround that you can try. Please do let us know if it fixes your issue:
Stop the NASM service: service nasm:stop -ds nosync
Remove file /content/nasm: rm -rf /content/nasm
Start the NASM service: service nasm:start -ds nosync
Thanks!
messageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Successful" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="10.1.10.4" message="Kerberos authentication initialized successfully with BeyersFHC" name="" src_mac=""
Hi Bill Roland
That is great news.
There will be someone reaching out to you to gather details on the history of this device so that development can properly investigate the issue.
Thanks for the feedback!
KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Kerberos authentication requirements
1.) Go to the Local security Policy > Local polices > audit policy > Audit account logon events properties > properties > success and Failure options should be enabled.
2.) Go to gpedit.msc > Default domain controller policy > right click > edit > polices > windows settings > security settings > advanced audit policy > audit policies > account logon > audit kerberos authentication services > properties > success and failure options should be enabled.
Regards,
Karthik K
Hello,
I am trying to setup Kerberos auth for clients and I have next experience :
I have one fresh installation of XG18 in virtual environment; I configured XG, domain and PC with reccomendation listed in several pages; and it works well; PC is able to reach Inetret and I see user in list of Live users AD SSO Kerberos
I have two XGs which were upgraded from version 17.5.x
I went through the same steps like in first case; but these two installations do not work.
I went through troubleshooting steps and see this.
The first one - call it amazon, is OK at AD environment :
C:\Users\inf_podvarka>setspn -L sxgamazon
Registered ServicePrincipalNames for CN=SXGAMAZON,CN=Computers,DC=amazon,DC=local:
HTTP/sxgamazon
HTTP/sxgamazon.amazon.local
HOST/sxgamazon.amazon.local
HOST/SXGAMAZON
and from XG it is bad :
XG310_WP02_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
# /oss/klist -e -k /tmp/krb5.keytab
/bin/sh: /oss/klist: not found
#
but after workaround steps :
service nasm:stop -ds nosync
rm -rf /content/nasm
service nasm:start -ds nosync
it seems to be OK :
chroot /content/nasm
/oss/klist -e -k /tmp/krb5.keytab
Keytab name: FILE:/tmp/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-crc)
3 HOST/SXGAMAZON@amazon.LOCAL (des-cbc-crc)
3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-md5)
...
The second one - call it elbe, is OK at AD environment :
C:\Users\podvarka>setspn -L sxgelbe
Registered ServicePrincipalNames for CN=sxgelbe,CN=Computers,DC=elbe,DC=local:
HTTP/sxgelbe.elbe.local
HTTP/sxgelbe
HOST/sxgelbe.elbe.local
HOST/sxgelbe
and from XG it is bad :
XG310_WP03_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
# /oss/klist -e -k /tmp/krb5.keytab
Keytab name: FILE:/tmp/krb5.keytab
klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan
#
the same after workaround :
service nasm:stop -ds nosync
rm -rf /content/nasm
service nasm:start -ds nosync
all three XGs has STAS used and it works - conenction to appropriate AD server is OK and functional
there was slight difference in behaviour of adding XG to AD; it was automatical in case of amazon; I had to add HTTP objects (HOST objects were added by system)
I had to add object in case of elbe manually
has anybody of you idea how to solve problem with this ?
klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan
suppose it is reason of non functionality :
Cannot establish NTLM authentication channel with
Best regards,
Petr
Hello,
small investigation and solution on elbe is quite simple. You have to reseat XG into domain, but nobody told what does it mean and how to do it.
For people who do not know how to do it short explanation connect to XG and change name in SYSTEM - Administration - Admin settings - Hostname. It could cause new computer object in AD will appear. Delete this object and original XG object in AD as well. After that change Hostname to original and this object should appear in computer list again. Check servicePrincipalName in attribute editor od AD object. Check klist at XG - it should work now well. If not, use workaround (rm -rf /content/nasm). Good luck.
Best regards,
Petr
PS for Sophos people - I think that many people would appreciate list of symptoms and most often solution; like "if you see this mesage, you would do this" ; I miss it ...
Hello,
i have a similar environment and am currently switching from utm to xg. In my demo system I am stuck with the web filter. With NTLM/kerberos everything works so far. The users are recognized and you can see the live session and the policy can be created according to the group membership.
But after 3-10 minutes I always have a page again:
gw.demosystem.de:8091/ntlmauth.html
It often helps to close and reopen the browser and it works again. But I can't apply this to the productive environment.
Do you have a tip for this.
Thanks in advance.
Regards,
Alex
