Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up Kerberos in v18?

Is there any additional configuration needed to enable Kerberos authentication in v18?  I got a failure message on upgrade startup in the log viewer: Cannot initialize Kerberos authentication with domain." but have not been able to figure out how to troubleshoot it further.  Documentation doesn't seem to mention anything.  Thanks in advance.



This thread was automatically locked due to age.
  • nasm looks at AD configuration and joins the AD domain for Kerberos and sets up a communication channel for NTLM, then sends a message to awarrenhttp and snort (DPI) that AD SSO is available.
    awarrenhttp or snort (DPI) determines that a connection should be authenticated with AD SSO and forwards to port 8091
    port 8091 is always handled by awarrenhttp, which asks for NTLM/Kerberos credentials
    awarrenhttp takes the credentials from and sends them to nasm.
    nasm will validate the kerberos ticket or 3-way NTLM messages with the AD server
    nasm tells awarrenhttp that the connection is authenticated with a specific user
    awarrenhttp tells access_server that a user is authenticated and asks if the user is authorized
    access_server says the user is authorized, and now associates that IP with that user

    With AD SSO, awarrenhttp is responsible for the communication with the client, nasm is responsible for communication with the AD server, and access_server is responsible for seeing if user has permission to log in and tracking who is logged in.

     

    In this case, if nasm does not think it is configured to AD properly it won't tell the rest of the system that AD SSO is available and the rest won't occur.

  • Looking at this, it appears that the problem is caused by a missing keytab?

    XG135_XN02_SFOS 18.0.0 GA-Build321# grep kerberos /log/nasm.log
    Feb 18 13:45:43.359438 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
    Feb 18 13:45:43.431084 [nasm] initialize_kerberos(): gss_acquire_cred HOST/SOPHOS-XG135-OB@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
    Feb 18 13:45:43.431443 [nasm] setup_channel(): unable to initialize kerberos
    Feb 19 16:15:51.059327 [nasm] close_kerberos
    Feb 19 16:15:51.059343 [nasm] close_kerberos(): deinitialized kerberos successfully
    Feb 19 16:16:04.348699 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
    Feb 19 16:16:04.355489 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
    Feb 19 16:16:04.355575 [nasm] setup_channel(): unable to initialize kerberos
    Feb 20 09:25:31.691544 [nasm] close_kerberos
    Feb 20 09:25:31.691561 [nasm] close_kerberos(): deinitialized kerberos successfully
    Feb 20 09:25:36.837904 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
    Feb 20 09:25:36.844966 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
    Feb 20 09:25:36.845049 [nasm] setup_channel(): unable to initialize kerberos
    Feb 20 09:26:17.718182 [nasm] close_kerberos
    Feb 20 09:26:17.718199 [nasm] close_kerberos(): deinitialized kerberos successfully
    Feb 20 09:26:22.494141 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
    Feb 20 09:26:22.500884 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
    Feb 20 09:26:22.500956 [nasm] setup_channel(): unable to initialize kerberos
    Feb 20 12:29:28.630370 [nasm] close_kerberos
    Feb 20 12:29:28.630386 [nasm] close_kerberos(): deinitialized kerberos successfully
    Feb 20 12:29:33.824849 [nasm] initialize_kerberos(): realm = BEYERSFHC.COM
    Feb 20 12:29:33.831286 [nasm] initialize_kerberos(): gss_acquire_cred HOST/FW-XG135-OBO@BEYERSFHC.COM: Key table file '/etc/krb5.keytab' not found
    Feb 20 12:29:33.831376 [nasm] setup_channel(): unable to initialize kerberos

  • Hi  

    This appears to be a bug.

    Herewith is a workaround that you can try.  Please do let us know if it fixes your issue:

    Stop the NASM service: service nasm:stop -ds nosync

    Remove file /content/nasm: rm -rf /content/nasm

    Start the NASM service: service nasm:start -ds nosync

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • KingChris said:

    Hi  

    This appears to be a bug.

    Herewith is a workaround that you can try.  Please do let us know if it fixes your issue:

    Stop the NASM service: service nasm:stop -ds nosync

    Remove file /content/nasm: rm -rf /content/nasm

    Start the NASM service: service nasm:start -ds nosync

    Thanks!

     

    This worked, thanks!

     

    messageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Successful" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="10.1.10.4" message="Kerberos authentication initialized successfully with BeyersFHC" name="" src_mac=""

  • Hi  

    That is great news.

    There will be someone reaching out to you to gather details on the history of this device so that development can properly investigate the issue.

    Thanks for the feedback!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I experienced the same exact issue and this same item fixed our issue. Should we open a case?

  • Kerberos authentication requirements

    1. What is the requirement for enabling “Audit Kerberos Authentication Service” in AD.
    2. How many days do we need to retain these logs in each domain controller?

     

    1.) Go to the Local security Policy > Local polices > audit policy > Audit account logon events properties > properties > success and Failure options should be enabled.

    2.) Go to gpedit.msc > Default domain controller policy > right click > edit > polices > windows settings  > security settings > advanced audit policy > audit policies > account logon > audit kerberos authentication services > properties > success and failure options should be enabled.

    Regards,

    Karthik K

  • Hello,

    I am trying to setup Kerberos auth for clients and I have next experience :
    I have one fresh installation of XG18 in virtual environment; I configured XG, domain and PC with reccomendation listed in several pages; and it works well; PC is able to reach Inetret and I see user in list of Live users AD SSO Kerberos


    I have two XGs which were upgraded from version 17.5.x

    I went through the same steps like in first case; but these two installations do not work.

    I went through troubleshooting steps and see this.

    The first one - call it amazon, is OK at AD environment :

    C:\Users\inf_podvarka>setspn -L sxgamazon
    Registered ServicePrincipalNames for CN=SXGAMAZON,CN=Computers,DC=amazon,DC=local:
    HTTP/sxgamazon
    HTTP/sxgamazon.amazon.local
    HOST/sxgamazon.amazon.local
    HOST/SXGAMAZON

    and from XG it is bad :

    XG310_WP02_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
    # /oss/klist -e -k /tmp/krb5.keytab
    /bin/sh: /oss/klist: not found
    #

    but after workaround steps :

    service nasm:stop -ds nosync
    rm -rf /content/nasm
    service nasm:start -ds nosync

    it seems to be OK :

    chroot /content/nasm
    /oss/klist -e -k /tmp/krb5.keytab
    Keytab name: FILE:/tmp/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-crc)
    3 HOST/SXGAMAZON@amazon.LOCAL (des-cbc-crc)
    3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-md5)
    ...


    The second one - call it elbe, is OK at AD environment :

    C:\Users\podvarka>setspn -L sxgelbe
    Registered ServicePrincipalNames for CN=sxgelbe,CN=Computers,DC=elbe,DC=local:
    HTTP/sxgelbe.elbe.local
    HTTP/sxgelbe
    HOST/sxgelbe.elbe.local
    HOST/sxgelbe

    and from XG it is bad :


    XG310_WP03_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
    # /oss/klist -e -k /tmp/krb5.keytab
    Keytab name: FILE:/tmp/krb5.keytab
    klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan
    #

    the same after workaround :

    service nasm:stop -ds nosync
    rm -rf /content/nasm
    service nasm:start -ds nosync

    all three XGs has STAS used and it works - conenction to appropriate AD server is OK and functional

    there was slight difference in behaviour of adding XG to AD; it was automatical in case of amazon; I had to add HTTP objects (HOST objects were added by system)

    I had to add object in case of elbe manually

    has anybody of you idea how to solve problem with this ?
    klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan

    suppose it is reason of non functionality :

    Cannot establish NTLM authentication channel with

    Best regards,

    Petr

  • Hello,

    small investigation and solution on elbe is quite simple. You have to reseat XG into domain, but nobody told what does it mean and how to do it.

    For people who do not know how to do it short explanation connect to XG and change name in SYSTEM - Administration - Admin settings - Hostname. It could cause new computer object in AD will appear. Delete this object and original XG object in AD as well. After that change Hostname to original and this object should appear in computer list again. Check servicePrincipalName in attribute editor od AD object. Check klist at XG - it should work now well. If not, use workaround (rm -rf /content/nasm). Good luck.

    Best regards,

    Petr

    PS for Sophos people - I think that many people would appreciate list of symptoms and most often solution; like "if you see this mesage, you would do this" ; I miss it ...

  • Hello,

    i have a similar environment and am currently switching from utm to xg. In my demo system I am stuck with the web filter. With NTLM/kerberos everything works so far. The users are recognized and you can see the live session and the policy can be created according to the group membership.
    But after 3-10 minutes I always have a page again:
    gw.demosystem.de:8091/ntlmauth.html
    It often helps to close and reopen the browser and it works again. But I can't apply this to the productive environment.
    Do you have a tip for this.
    Thanks in advance.

    Regards,

    Alex