Set up Kerberos in v18?

Kerberos authentication requirements

1. What is the requirement for enabling “Audit Kerberos Authentication Service” in AD.
2. How many days do we need to retain these logs in each domain controller?

1.) Go to the Local security Policy > Local polices > audit policy > Audit account logon events properties > properties > success and Failure options should be enabled.

2.) Go to gpedit.msc > Default domain controller policy > right click > edit > polices > windows settings  > security settings > advanced audit policy > audit policies > account logon > audit kerberos authentication services > properties > success and failure options should be enabled.

Regards,

Karthik K

Hello,

I am trying to setup Kerberos auth for clients and I have next experience :
I have one fresh installation of XG18 in virtual environment; I configured XG, domain and PC with reccomendation listed in several pages; and it works well; PC is able to reach Inetret and I see user in list of Live users AD SSO Kerberos

I have two XGs which were upgraded from version 17.5.x

I went through the same steps like in first case; but these two installations do not work.

I went through troubleshooting steps and see this.

The first one - call it amazon, is OK at AD environment :

C:\Users\inf_podvarka>setspn -L sxgamazon
Registered ServicePrincipalNames for CN=SXGAMAZON,CN=Computers,DC=amazon,DC=local:
HTTP/sxgamazon
HTTP/sxgamazon.amazon.local
HOST/sxgamazon.amazon.local
HOST/SXGAMAZON

and from XG it is bad :

XG310_WP02_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
# /oss/klist -e -k /tmp/krb5.keytab
/bin/sh: /oss/klist: not found
#

but after workaround steps :

service nasm:stop -ds nosync
rm -rf /content/nasm
service nasm:start -ds nosync

it seems to be OK :

chroot /content/nasm
/oss/klist -e -k /tmp/krb5.keytab
Keytab name: FILE:/tmp/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-crc)
3 HOST/SXGAMAZON@amazon.LOCAL (des-cbc-crc)
3 HOST/sxgamazon.amazon.local@amazon.LOCAL (des-cbc-md5)
...

The second one - call it elbe, is OK at AD environment :

C:\Users\podvarka>setspn -L sxgelbe
Registered ServicePrincipalNames for CN=sxgelbe,CN=Computers,DC=elbe,DC=local:
HTTP/sxgelbe.elbe.local
HTTP/sxgelbe
HOST/sxgelbe.elbe.local
HOST/sxgelbe

and from XG it is bad :

XG310_WP03_SFOS 18.0.1 MR-1-Build396# chroot /content/nasm
# /oss/klist -e -k /tmp/krb5.keytab
Keytab name: FILE:/tmp/krb5.keytab
klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan
#

the same after workaround :

service nasm:stop -ds nosync
rm -rf /content/nasm
service nasm:start -ds nosync

all three XGs has STAS used and it works - conenction to appropriate AD server is OK and functional

there was slight difference in behaviour of adding XG to AD; it was automatical in case of amazon; I had to add HTTP objects (HOST objects were added by system)

I had to add object in case of elbe manually

has anybody of you idea how to solve problem with this ?
klist: Key table file '/tmp/krb5.keytab' not found while starting keytab scan

suppose it is reason of non functionality :

Cannot establish NTLM authentication channel with

Best regards,

Petr

Hello,

small investigation and solution on elbe is quite simple. You have to reseat XG into domain, but nobody told what does it mean and how to do it.

For people who do not know how to do it short explanation connect to XG and change name in SYSTEM - Administration - Admin settings - Hostname. It could cause new computer object in AD will appear. Delete this object and original XG object in AD as well. After that change Hostname to original and this object should appear in computer list again. Check servicePrincipalName in attribute editor od AD object. Check klist at XG - it should work now well. If not, use workaround (rm -rf /content/nasm). Good luck.

Best regards,

Petr

PS for Sophos people - I think that many people would appreciate list of symptoms and most often solution; like "if you see this mesage, you would do this" ; I miss it ...

Hello,

small investigation and solution on elbe is quite simple. You have to reseat XG into domain, but nobody told what does it mean and how to do it.

For people who do not know how to do it short explanation connect to XG and change name in SYSTEM - Administration - Admin settings - Hostname. It could cause new computer object in AD will appear. Delete this object and original XG object in AD as well. After that change Hostname to original and this object should appear in computer list again. Check servicePrincipalName in attribute editor od AD object. Check klist at XG - it should work now well. If not, use workaround (rm -rf /content/nasm). Good luck.

Best regards,

Petr

PS for Sophos people - I think that many people would appreciate list of symptoms and most often solution; like "if you see this mesage, you would do this" ; I miss it ...

Hello,

i have a similar environment and am currently switching from utm to xg. In my demo system I am stuck with the web filter. With NTLM/kerberos everything works so far. The users are recognized and you can see the live session and the policy can be created according to the group membership.
But after 3-10 minutes I always have a page again:
gw.demosystem.de:8091/ntlmauth.html
It often helps to close and reopen the browser and it works again. But I can't apply this to the productive environment.
Do you have a tip for this.
Thanks in advance.

Regards,

Alex 

Can you verify, if this request is HTTP or HTTPs? 

Did you add this address to the local intranet zone on the Client? 

Hello LuCar Toni, 

you are so fast. Thanks. 

The request is https. In the URL i see https://gw....

I add it in the Zone as in the Documentation http://gw... and on other Browser Chrome, Edge as fqdn for auth Server. 

Did you check the box below "Require https:// for all Sites on this page"? Its a Microsoft Setting. 
Another point: Do you use HSTS? So does your Client access this gw.demosystem.de via Port4444 or port 443 for other modules? 
The Client will proceed HSTS and know, this page can do HTTPs therefore he automatically use HTTPs, which does not work for NTLM. 

this is strange.
the hack on
"Require https:// for all Sites on this page
cannot be set via the GPO for Intranet. If I set the link as https://gw.demosystem.de, it asks directly for the user ID. If I set http://gw.demosystem.de there, the effect is as described above.
In the demo system I only use the web filter. But with HTTPS decryption.
The error occurs when using Kerberos/NTLM and only NTLM.
Is there a way to disable HSTS for XG in the browser?

Translated with www.DeepL.com/Translator (free version)

You need to set http:// into the intranet sites. 

And you need to clear the HSTS Cache and retry it. See: https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

Hello,

now I understand what you mean and it makes sense.

Now i clean the HSTS Cache. It looks like it works now. Amazing how much time it took me to search and you have the solution in 5 minutes.

What a pity that this is not documented anywhere.

I will build another demo environment in the near future and try to document this and provide a manual here in the community. I don't really like the Sophos own manual. For example, according to their manual you should enable automatic login with username and password in the Internet Zone of your browser.

Thanks again Lucar Toni. This is my second time in the community and both were very helpful.

is there virtual beer? I'd like to buy you one. ;) 

Hello,

we have deposited our firewall via the GPO at the intranet sites as follows:
http://fw_name.domain.???
https://fw_name.domain.????

At the first start everything works. After logging on to the user portal or the WebAdmin portal the error occurs afterwards. When the HSTS is checked, the entry is available again. After deleting it, access works again. As long as no user opens the portal, the access always works.

Before v18 this worked fine. Was there any change.

With the Mircrosoft browsers there are no problems. Additionally we noticed the following:
If the error occurs in Chrome, and we start IE for example, the access with Chrome works again.

Translated with www.DeepL.com/Translator (free version)

Best Regards

we have the same problem as Alexander

Its actually a matter of HSTS. Does your client open XGs all the time for other facilities? So does the browser know, he can reach the NTLM hostname via HTTPS?