Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4577
Views
10
Helpful
3
Replies

WSA appliance - kerberos authentication with two WSA

tamaszoltan
Level 1
Level 1

‎02-05-2018 04:23 AM - edited ‎03-08-2019 07:43 PM

Hello!

 

How can I configure the kerberos authentication in a WSA appliance if I use a WSA cluster with two nodes (with SMA)?

Do I have to set the same hostname of the two appliances?

 

  • Web Security appliance configuration:

◦In explicit mode, the WSA host name (CLI command sethostname) and the proxy name configured in the browser must be the same

 

Thanks!

Zoltan

1 person had this problem
Labels:
0 Helpful
3 Replies 3

sadik.sener1
Level 1
Level 1

‎08-03-2018 01:04 PM

Hi Zoltan,

I am right now working with this as well.

I guess you have your WSAs joined to your domain. And i guess you have dns records for your interfaces, both have different fqdns (it should be this way)

 

The tricky part is to get Kerberos work for high availability ip address.

 

I've read a lot. 

When you use one of the WSAs actual ip address (of course you should use the corresponding fqdn like data1.contoso.com), it has a corresponding dns record and during the domain join operation WSA creates the necessary SPN records (which will be used during Kerberos)

 

If you go ahead and run the command on a domain computer "setspn -L WSA" where WSA is the computer name of your WSA, you will see that there numerous records for SPN.

 

For using kerberos, you should type the fqdn of your data port (data1.contoso.com) as the proxy on the client. Also, data1.contoso.com address should be added to intranet zone under internet explorer settings- > security. Customize the intranet zone setting to allow SSO.

 

When you try to access a web site, it should authenticate using kerberos.

 

You can check which auth method is being used by adding %m under accesslogs custom fields.

 

I haven't tried kerberos for the HA fqdn yet, but i hope that a delegation setting on Active Directory will make it work.

0 Helpful

dima.ostapenko
Level 1
Level 1

‎12-21-2022 04:28 AM

Hello!

I think this topic - Creating a Service Account in Windows Active Directory for Kerberos Authentication in High Availability Deployments https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_0101.html can help you.

amojarra
Cisco Employee
Cisco Employee

‎12-22-2022 11:49 PM

Hi , 

[1] as mentioned above you need to Check if the SPN of the high availability hostname is associated with the Active Directory user object created or chosen.

 

[2] and you need to configure your Browser to use Kerberos:

Configuring Kerberos Authentication in Different Browsers | Windows OS Hub (woshub.com)

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

 

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Customers Also Viewed These Support Documents