ProxySG & Advanced Secure Gateway

 View Only

  • 1.  Upgrade from NTLM to Kerberos

    Posted Aug 21, 2018 05:49 AM

    Hi,

    On my proxy SG, I have already configured NTLM authentication with BCAAA. I need now to upgrade to Kerberos.

    I saw here how to implemnet kerberos :

    https://support.symantec.com/en_US/article.TECH250945.embed.html

    But my question is : do I have to do all steps even if NTLM is already configured ?

    Example : 

    • Create a DNS “A” record
    • Create a domain user account for the BCAAA
    • In the Local Security Policy of the server on which BCAAA is running, modify
    • the user rights assignment for the BCAAA domain
    • Enter the following case-sensitive command:
    • setspn -A HTTP/<FQDN_of_Proxy> <AD_Account_Name>

     

    Or is there some steps already done with NTLM configuration and no need to do it again ?



  • 2.  RE: Upgrade from NTLM to Kerberos
    Best Answer

    Posted Aug 21, 2018 06:06 AM

    Hi,

     

                      NTLM and BASIC don't rely on the settings which are required for Kerberos to work. Informing the KDC about the service and the user/owner account details using "setspn" is very crucial in Kerberos. Only this user is allowed to validate the tickets. All the above steps are needed if you are using BCAAA. If using IWA-Direct, you may only need the DNS entry part taken care.



  • 3.  RE: Upgrade from NTLM to Kerberos

    Posted Aug 21, 2018 08:05 AM

    Thank you , that's clear!



  • 4.  RE: Upgrade from NTLM to Kerberos

    Posted Aug 21, 2018 09:59 AM

    @aravind : The thing is that My BCAAA servers are in production so I'm afraid if I start kerberos configuration to l could misscounfigure it and put production in danger.

     

    In your opinion : Is it possible de test it only on my alternate BCAAA server with my secondary proxy and when validated do the same configuration on the primary ?



  • 5.  RE: Upgrade from NTLM to Kerberos

    Posted Aug 21, 2018 11:03 PM

    Hi,

     

                While it is not expected to create havoc, its better be safe. You can do the steps on alternate server and create a new test realm in your proxy with Kerberos enabled. Authenticate a client machine against this realm.

     

                If the client machine is aware of the KDC setup, it will query the server for getting a ticket for "what is configured on the browser as proxy". Most of the users end up having issues at this point. The SPN is expected to be created with the FQDN. This needs to be the one which is configured in the browser as proxy. For example. Browser is configured with proxy.acme.com . The setspn should be setspn -A HTTP/proxy.acme.com AcmeDomain\BCAAAuser . Customer are found to miss this part. They will configure the SPN correctly but miss to mention the same in the browser.