Forum Discussion

PhetS's avatar
PhetS
Icon for Nimbostratus rankNimbostratus
Jun 26, 2024

Mix NTLMv2 & Kerberos SSO in the same policy for different sub-URL

Hello !

I got a special request and couldn't find a solution on how to address this...

e.g.

Following URL is secured by an APM policy using NTLMv2 as SSO (based on AD Auth)

https://acme.domain.com/url

 

Following subURL is requesting KERBEROS

https://acme.domain.com/url/suburl

 

For the moment the user need to authenticate 2x. The 2nd time through a Microsoft Popup.

With one of the main Issues being: if I logout and login again with a different user, there is no login requested for the kerberos part and the 1st user remains connected.


Any idea how I could solve this situation

BR
S.

  • Hi, 

    - Review the Active session report for the first login attempt and validate that Kerberos works well and you can see the TGT or S4u Successful.
    - After the first attempt try to logout again and authenticate with another user and review Access report and check the NTLM authentication and Kerberos. 

    - Try this ( don't only logout from the application , I need you to kill the session then authenticate with the second user directly and check kerberos logs in the access reports ) 
    I think you should connect to the second user after killing active session.

     

    Don't forget to enable debugging for SSO and Access policy , to be able to see all logs and failures on Kerberos side.