Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up Kerberos in v18?

Is there any additional configuration needed to enable Kerberos authentication in v18?  I got a failure message on upgrade startup in the log viewer: Cannot initialize Kerberos authentication with domain." but have not been able to figure out how to troubleshoot it further.  Documentation doesn't seem to mention anything.  Thanks in advance.



This thread was automatically locked due to age.
  • Can you verify, if this request is HTTP or HTTPs? 

    Did you add this address to the local intranet zone on the Client? 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni, 

    you are so fast. Thanks. 

    The request is https. In the URL i see https://gw....

    I add it in the Zone as in the Documentation http://gw... and on other Browser Chrome, Edge as fqdn for auth Server. 

  • Did you check the box below "Require https:// for all Sites on this page"? Its a Microsoft Setting. 
    Another point: Do you use HSTS? So does your Client access this gw.demosystem.de via Port4444 or port 443 for other modules? 
    The Client will proceed HSTS and know, this page can do HTTPs therefore he automatically use HTTPs, which does not work for NTLM. 

    __________________________________________________________________________________________________________________

  • this is strange.
    the hack on
    "Require https:// for all Sites on this page
    cannot be set via the GPO for Intranet. If I set the link as https://gw.demosystem.de, it asks directly for the user ID. If I set http://gw.demosystem.de there, the effect is as described above.
    In the demo system I only use the web filter. But with HTTPS decryption.
    The error occurs when using Kerberos/NTLM and only NTLM.
    Is there a way to disable HSTS for XG in the browser?

    Translated with www.DeepL.com/Translator (free version)

  • You need to set http:// into the intranet sites. 

    And you need to clear the HSTS Cache and retry it. See: https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

    __________________________________________________________________________________________________________________

  • Hello,

    now I understand what you mean and it makes sense.

    Now i clean the HSTS Cache. It looks like it works now. Amazing how much time it took me to search and you have the solution in 5 minutes.

    What a pity that this is not documented anywhere.

    I will build another demo environment in the near future and try to document this and provide a manual here in the community. I don't really like the Sophos own manual. For example, according to their manual you should enable automatic login with username and password in the Internet Zone of your browser.

    Thanks again Lucar Toni. This is my second time in the community and both were very helpful.

    is there virtual beer? I'd like to buy you one. ;) 

  • Hello,

    we have deposited our firewall via the GPO at the intranet sites as follows:
    http://fw_name.domain.???
    https://fw_name.domain.????

    At the first start everything works. After logging on to the user portal or the WebAdmin portal the error occurs afterwards. When the HSTS is checked, the entry is available again. After deleting it, access works again. As long as no user opens the portal, the access always works.

    Before v18 this worked fine. Was there any change.

    With the Mircrosoft browsers there are no problems. Additionally we noticed the following:
    If the error occurs in Chrome, and we start IE for example, the access with Chrome works again.

    Translated with www.DeepL.com/Translator (free version)

    Best Regards

  • we have the same problem as Alexander

  • Its actually a matter of HSTS. Does your client open XGs all the time for other facilities? So does the browser know, he can reach the NTLM hostname via HTTPS? 

    __________________________________________________________________________________________________________________

  • Hello Dieter,

    I actually solved the puzzle with Lucar`s help and my problem is solved.

    About the GPO you may only use the link with http://fw... distribute.

    And you are not allowed to access the firewall with the name from the client over HTTPS anymore. Because otherwise the browsers will save the name as HSTS and from now on only want to log in via HTTPs. And then the NTLM authentication fails.

    If you still use the firewall as a user portal you have to think about which DNS names you want to store in the certificate. e.g. fw.xg.de for NTLM/Kerberos; portal.xg.de for userportal and xgadmin.xg.de for admin access via port 4444, which is also https.

    Many greetings

    Translated with www.DeepL.com/Translator (free version)