This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up Kerberos in v18?

Is there any additional configuration needed to enable Kerberos authentication in v18?  I got a failure message on upgrade startup in the log viewer: Cannot initialize Kerberos authentication with domain." but have not been able to figure out how to troubleshoot it further.  Documentation doesn't seem to mention anything.  Thanks in advance.



This thread was automatically locked due to age.
Parents
  • Kerberos authentication requirements

    1. What is the requirement for enabling “Audit Kerberos Authentication Service” in AD.
    2. How many days do we need to retain these logs in each domain controller?

     

    1.) Go to the Local security Policy > Local polices > audit policy > Audit account logon events properties > properties > success and Failure options should be enabled.

    2.) Go to gpedit.msc > Default domain controller policy > right click > edit > polices > windows settings  > security settings > advanced audit policy > audit policies > account logon > audit kerberos authentication services > properties > success and failure options should be enabled.

    Regards,

    Karthik K

  • Hello,

    I am trying to setup Kerberos auth for clients and I have next experience :
    I have one fresh installation of XG18 in virtual environment; I configured XG, domain and PC with reccomendation listed in several pages; and it works well; PC is able to reach Inetret and I see user in list of Live users AD SSO Kerberos


    I have two XGs which were upgraded from version 17.5.x

    I went through the same steps like in first case; but these two installations do not work.

    I went through troubleshooting steps and see this.

    The first one - call it amazon, is OK at AD environment :

    C:\Users\inf_podvarka>setspn -L sxgamazon
    Registered ServicePrincipalNames for CN=SXGAMAZON,CN=Computers,DC=amazon,DC=local:
    HTTP/sxgamazon
    HTTP/sxgamazon.amazon.local
    HOST/sxgamazon.amazon.local
    HOST/SXGAMAZON

    and from XG it is bad :

    XG310_WP02_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
    # /oss/klist -e -k /tmp/krb5.keytab
    /bin/sh: /oss/klist: not found
    #

    but after workaround steps :

    service nasm:stop -ds nosync
    rm -rf /content/nasm
    service nasm:start -ds nosync

    it seems to be OK :

    chroot /content/nasm
    /oss/klist -e -k /tmp/krb5.keytab
    Keytab name: FILE:/tmp/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-crc)
    3 HOST/SXGAMAZON@amazon.LOCAL (des-cbc-crc)
    3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-md5)
    ...


    The second one - call it elbe, is OK at AD environment :

    C:\Users\podvarka>setspn -L sxgelbe
    Registered ServicePrincipalNames for CN=sxgelbe,CN=Computers,DC=elbe,DC=local:
    HTTP/sxgelbe.elbe.local
    HTTP/sxgelbe
    HOST/sxgelbe.elbe.local
    HOST/sxgelbe

    and from XG it is bad :


    XG310_WP03_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
    # /oss/klist -e -k /tmp/krb5.keytab
    Keytab name: FILE:/tmp/krb5.keytab
    klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan
    #

    the same after workaround :

    service nasm:stop -ds nosync
    rm -rf /content/nasm
    service nasm:start -ds nosync

    all three XGs has STAS used and it works - conenction to appropriate AD server is OK and functional

    there was slight difference in behaviour of adding XG to AD; it was automatical in case of amazon; I had to add HTTP objects (HOST objects were added by system)

    I had to add object in case of elbe manually

    has anybody of you idea how to solve problem with this ?
    klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan

    suppose it is reason of non functionality :

    Cannot establish NTLM authentication channel with

    Best regards,

    Petr

  • Hello,

    small investigation and solution on elbe is quite simple. You have to reseat XG into domain, but nobody told what does it mean and how to do it.

    For people who do not know how to do it short explanation connect to XG and change name in SYSTEM - Administration - Admin settings - Hostname. It could cause new computer object in AD will appear. Delete this object and original XG object in AD as well. After that change Hostname to original and this object should appear in computer list again. Check servicePrincipalName in attribute editor od AD object. Check klist at XG - it should work now well. If not, use workaround (rm -rf /content/nasm). Good luck.

    Best regards,

    Petr

    PS for Sophos people - I think that many people would appreciate list of symptoms and most often solution; like "if you see this mesage, you would do this" ; I miss it ...

  • Hello,

    i have a similar environment and am currently switching from utm to xg. In my demo system I am stuck with the web filter. With NTLM/kerberos everything works so far. The users are recognized and you can see the live session and the policy can be created according to the group membership.
    But after 3-10 minutes I always have a page again:
    gw.demosystem.de:8091/ntlmauth.html
    It often helps to close and reopen the browser and it works again. But I can't apply this to the productive environment.
    Do you have a tip for this.
    Thanks in advance.

    Regards,

    Alex 

  • Can you verify, if this request is HTTP or HTTPs? 

    Did you add this address to the local intranet zone on the Client? 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni, 

    you are so fast. Thanks. 

    The request is https. In the URL i see https://gw....

    I add it in the Zone as in the Documentation http://gw... and on other Browser Chrome, Edge as fqdn for auth Server. 

  • Did you check the box below "Require https:// for all Sites on this page"? Its a Microsoft Setting. 
    Another point: Do you use HSTS? So does your Client access this gw.demosystem.de via Port4444 or port 443 for other modules? 
    The Client will proceed HSTS and know, this page can do HTTPs therefore he automatically use HTTPs, which does not work for NTLM. 

    __________________________________________________________________________________________________________________

  • this is strange.
    the hack on
    "Require https:// for all Sites on this page
    cannot be set via the GPO for Intranet. If I set the link as https://gw.demosystem.de, it asks directly for the user ID. If I set http://gw.demosystem.de there, the effect is as described above.
    In the demo system I only use the web filter. But with HTTPS decryption.
    The error occurs when using Kerberos/NTLM and only NTLM.
    Is there a way to disable HSTS for XG in the browser?

    Translated with www.DeepL.com/Translator (free version)

  • You need to set http:// into the intranet sites. 

    And you need to clear the HSTS Cache and retry it. See: https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

    __________________________________________________________________________________________________________________

  • Hello,

    now I understand what you mean and it makes sense.

    Now i clean the HSTS Cache. It looks like it works now. Amazing how much time it took me to search and you have the solution in 5 minutes.

    What a pity that this is not documented anywhere.

    I will build another demo environment in the near future and try to document this and provide a manual here in the community. I don't really like the Sophos own manual. For example, according to their manual you should enable automatic login with username and password in the Internet Zone of your browser.

    Thanks again Lucar Toni. This is my second time in the community and both were very helpful.

    is there virtual beer? I'd like to buy you one. ;) 

Reply
  • Hello,

    now I understand what you mean and it makes sense.

    Now i clean the HSTS Cache. It looks like it works now. Amazing how much time it took me to search and you have the solution in 5 minutes.

    What a pity that this is not documented anywhere.

    I will build another demo environment in the near future and try to document this and provide a manual here in the community. I don't really like the Sophos own manual. For example, according to their manual you should enable automatic login with username and password in the Internet Zone of your browser.

    Thanks again Lucar Toni. This is my second time in the community and both were very helpful.

    is there virtual beer? I'd like to buy you one. ;) 

Children
  • Hello,

    we have deposited our firewall via the GPO at the intranet sites as follows:
    http://fw_name.domain.???
    https://fw_name.domain.????

    At the first start everything works. After logging on to the user portal or the WebAdmin portal the error occurs afterwards. When the HSTS is checked, the entry is available again. After deleting it, access works again. As long as no user opens the portal, the access always works.

    Before v18 this worked fine. Was there any change.

    With the Mircrosoft browsers there are no problems. Additionally we noticed the following:
    If the error occurs in Chrome, and we start IE for example, the access with Chrome works again.

    Translated with www.DeepL.com/Translator (free version)

    Best Regards

  • we have the same problem as Alexander

  • Its actually a matter of HSTS. Does your client open XGs all the time for other facilities? So does the browser know, he can reach the NTLM hostname via HTTPS? 

    __________________________________________________________________________________________________________________

  • Hello Dieter,

    I actually solved the puzzle with Lucar`s help and my problem is solved.

    About the GPO you may only use the link with http://fw... distribute.

    And you are not allowed to access the firewall with the name from the client over HTTPS anymore. Because otherwise the browsers will save the name as HSTS and from now on only want to log in via HTTPs. And then the NTLM authentication fails.

    If you still use the firewall as a user portal you have to think about which DNS names you want to store in the certificate. e.g. fw.xg.de for NTLM/Kerberos; portal.xg.de for userportal and xgadmin.xg.de for admin access via port 4444, which is also https.

    Many greetings

    Translated with www.DeepL.com/Translator (free version)

  • Hello Alexander,

    i had changed ander Admin settings the redirecting to the capative portal. I use now the IP adress. Thats, works.

    Many greetings,

    Dieter