Forum Discussion

Jugoslav_106711's avatar
Jugoslav_106711
Icon for Nimbostratus rankNimbostratus
Jan 13, 2016

Kerberos and SWG Implementation

Hello team,

 

anyone had experience with Kerberos for SWG authentication? I am following guide for Kerberos and SWG implementation but kinit and klist is not giving appropriate output. Interesting is that i can't see that F5 is communicating to Kerberos using tcpdump. Please help me in which direction i should troubleshoot further.

 

Point is to avoid submitting an APM HTTP form for collecting user credentials. The browser should automatically submits credentials to the server and bypasses the login box to collect the credentials again.

 

  • I would suggest looking into DNS resolution and/or routing to see if you can reach the DNS controllers. This has nothing to do with SWG here - but rather an issue that prevents F5 device to properly discover/connect to the KDCs.

     

    Is this for transparent or explicit proxy deployment? If explicit, you will need to add the variable assignment before Kerberos Auth agent:

     

    You need a Variable Assign agent on the Negotiate branch before the Kerberos Auth agent. The value of the Variable assign is:

     

    session.server.network.name =

     

    Also, just curious, why did you choose Kerberos over NTLM for your deployment/use case?

     

  • Appreciate for your assistance Michael,

     

    good point, F5 is resolving DOMAIN.LOCAL to appropriate AD IP (3 IP are associated to DOMAIN.LOCAL). Only difference is that they have different hostnames.

     

    It's explicit deployment, i shall try with suggested Variable Assign in VPE.

     

    For customer, NTLM is less secure, but I will try with NTLM by following this guide

     

  • problem was in krb5.conf as mentioned in SOL16438 and also adding realms manually to /etc/krb.conf

     

  • Now i have problem with SWG responding back to the client, i see responding with NTLM auth, see packet capture:

     

     

  • Hi,

     

    I guess you solved this issue. Anyway what authentication mechanism browser uses depends on how proxy is configured in the browser. When proxy is entered as IP browser will always use NTLM - no way Kerberos will work, when entered as FQDN then Kerberos will be used (or at least will work, maybe NTLM will work as well - never tested that.

     

    Piotr