05-27-2021 01:16 PM
Hello,
We are having an issue with our endpoints not authenticating against our WSA. Only users on the modern versions of Windows (20H2) are getting a login prompt from our WSA. It's happening almost every time users attempt any sort of internet connection that isn't on any of our allowlists. If anyone has seen this before or could point me in the right direction that would be incredibly helpful.
WSA Version: 11.8.3-018
Thank you.
06-07-2021 09:00 AM
Hello,
What do you see in the Log Subscription Authentication Framework Logs?
You can make a TCPdump to see what happens in the authentication process with the Proxy. Compare the not working dump with a working dump to see what's different.
Do you have these workstations in different subnets? If yes, check your identification Profiles if the correct subnets are present.
Regards,
Robin
06-09-2021 06:26 AM
Hi Robin,
Thanks for the reply, all endpoints are in the same subnet, so that shouldn't be the issue, when looking at the authentication logs, I see something that looks like Kerberos issues:
Tue Jun 8 08:33:12 2021 Warning: PROX_AUTH : 7933541 : [3182: DOMAIN.COM]krb5_verify_ap_req2: failed to decrypt ticket
Tue Jun 8 08:33:12 2021 Critical: PROX_AUTH : 7933541 : [3182: DOMAIN.COM]krb5_verify_ap_req2: verify ticket failed
Tue Jun 8 08:45:22 2021 Info: PROX_AUTH : 7944356 : [3168] Final Response from Auth Helper is NA. Authentication failed for IP (10.100.10.147)
Tue Jun 8 09:00:27 2021 Info: PROX_AUTH : 7962229 : [3168] Final Response from Auth Helper is NA. Authentication failed for IP (10.100.10.133)
06-10-2021 02:40 AM
Hi,
You can ignore the message "krb5_verify_ap_req2: verify ticket failed". It is intended behavior and has no real performance impact on the authentication process. Unfortunately you can't filter this message out from the proxy logs. A request (CSCvx96104) is running for this.
The other message doesn't say much. You can adjust the log level to debug for the proxy log subscription to hopefully to get more details. Also a TCPdump is still usefull to make.
Which authentication methods do you allow in your identification profile?
Are both workstation using the same authentication method?
Regards,
Robin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide