Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1897
Views
0
Helpful
2
Replies

WSA S6xx Authenication to Kerberos though an F5

tmkgm2013
Level 1
Level 1

‎11-16-2016 01:03 PM

I am having trouble getting my WSA S6xx to authenticate using Kerberos going though a F5 load balancer.

Looking at access-logs only NTLM is being used. I if move Identity to just Kerberos all I receive is '407'

Any help with this is appreciated .

Tom

Labels:
0 Helpful
2 Replies 2

Handy Putra
Cisco Employee
Cisco Employee

‎11-16-2016 06:17 PM

Hi Tom,

Would suggest:

  1. Use kerbtray tool from windows resource kit to verify the kerberos ticket on the client(http://www.microsoft.com/en-us/download/details.aspx?id=17657).
  2. Ticket viewer application on Mac clients is available under main menu > KeyChain Access to view the keberos tickets.
  3. Use %m custom field parameter for the access log to see what authentication method used.
  4. Enable authentication in identity policy using kerberos scheme
  5. Domain login to your client and make http/https/ftp requests using browsers. Supported browsers are: FF, IE, chrome and safari

Browser Configurations

IE
Add the WSA hostname under InternetOptions->Security->Local Internet->Sites->Advanced.
Enable Automaticlogon onlyin theintranet zone.
Enable EnableIntegrated WindowsAuthentication(requires restart)
For detailed instructions, please refer to IE Configurations.

Firefox
Run about:config.
Set the values of network.negotiate-auth.trusted-uri,network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-urito the WSA hostname.
For detailed instructions, please refer to Firefox Configurations.


Safari
Safari on Mac does not need any changes once the computer is added to the domain.


Chrome
Add the WSA hostname under InternetOptions->Security->Local.

 

Verify

1.Verify you are not prompted for authentication

2.Verify access log displays NEGOTIATE auth type

3.Verify access log displays the correct username

0 Helpful

JAKUB CHYTRACEK
Level 1
Level 1

‎01-04-2017 10:13 PM

Hi, can describe in detail your F5 configuration, I suppose that you are using LTM for loadbalancing, the problem is described detailed here https://blogs.technet.microsoft.com/askds/2011/08/09/kerberos-and-load-balancing/. The WSA is using computer account in AD, this is the biggest problem, because you are not able to add for all WSA computer accounts as the SPN attibute = DNS name for VIP ip address. SPN attribute value should be unique in AD!

Try to use not LTM but the GTM. If you will need more help, write me. Other vendors like Bluecoat, Checkpoint, Fortinet are using service user account.

It is funny, that you have the same problem with WSA and kerberos authentication, if you are using WSA CARP HA - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut38566. Cisco recommends to use fallback to NTLM :( - check the case notes and attachement ...

Preview file
5 KB
0 Helpful
Customers Also Viewed These Support Documents