Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO over Kerberos not working

Hello,

I have done a setup with a clsuet of 3300 appliances. 

For authentication I have configured an active directory domain controler, joined the domain, imported the groups and activated AD SSO on the zones.

In Auth-Log the NTLM and Kerberos channel are successfuly shown but when a client tries to go to an webpage, the authentication windows appears for authentication over NTLM. No clients can authenticate over kerberos.

 On the domain controller I run wireshark and I see the requests from firewall to the dc. But the answer of the domain controller is the following 

KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG

The udp packet lenght is between 188 and 295 byte. I'm sure, that is not too big. I was hoping that the problem could be resolved by increasing the value for the max packet size for kerberos like on this page but it did not help.

Does anybody know a solution for this?

Thanks 



This thread was automatically locked due to age.
Parents Reply
  • If you have an HA the primary does a Join with the hostname of the cluster.  The auxiliary does a Join with SOPHOS[random].  After that, the primary sync's the Kerberos ticket to the Aux.

    There are known issue with the synchronization, which means during failover you might see SOPHOS[random] being tried and failing.  There will be improvements to this is 20.0 MR2.

Children
No Data