Jump to content


Photo

Requirements for Using a Kerberos Authentication Server

Kerberos Proxy

This topic has been archived. This means that you cannot reply to this topic.
2 replies to this topic

#1 Manfred Halper

Manfred Halper
  • Barracuda Guru
  • 84 posts

Posted 09 December 2015 - 10:45 AM

Hello,

 

I'm currently trying to get Kerberos Authentication running, for the proxy service but no luck. The one thing i noticed in the KB is teh following sentence:

Use type A DNS records for the Kerberos Key Distribution Center (KDC). There are known issues with some clients forming an incorrect SPN request when CNAME DNS records are used.

I don't know what is exactly meant by this entry. The Kerberos Key distribution center is a Server 2012 domain controller. All the necessary DNS entries are there and working. Do i need some additional non-microsoft-default A DNS record entries?

 

Cheers,

Manfred.

 

 



#2 Micha Knorpp

Micha Knorpp
  • Members
  • 195 posts

Posted 09 December 2015 - 11:05 AM

Hi Manfred,

 

seems like we are struggling with the same thing at the moment...

I also wondered about this sentence in the KB. Because I couldn´t figure out what it means, I decided to ignore it.

So far, Kerberos itself seems to work because I see usernames in the proxy log (Domain joined worked smoothly !). What does not work is special ACLs based on AD Group membership of the users. Looks like the Proxy doesn´t get this group info.

 

Is this the case too in your setup?

Which Firmware are you using? I´m on v6.2.


regards,
-micha-

#3 Manfred Halper

Manfred Halper
  • Barracuda Guru
  • 84 posts

Posted 11 December 2015 - 08:26 AM

I'm on 6.2. The domain joined worked without problems but the proxy does not get any information at all. I get the following message in the cache.log Error returned 'BH received type 1 NTLM token'"

 

I switched to the DC client to get the authentication for the proxy.

 

I don't get any information via Kerberos. The funny thing is that the deafult setting for the KDC is not an A record or CNAME but an SRV record. to identify servieces.

 

I would prefer a running Kerberos configuration over the DC Client any day.