Solved

Kerberos not working when clients use auto detect

Posted on 2013-12-22
3
1,813 Views
Last Modified: 2014-01-18
Our environment
Smoothwall set to use NTLM Auth for all clients except a range of IP's set in DHCP. The DHCP Range is excluded and clients are using MAC to IP Address Assignment. Smoothwall is set to apply Kerberos Authentication to MACBOOK Laptops by IP Address. We manually setup the MAC to IP Address in DHCP. The client selects Auto in the Proxy field and we use a PAC file hosted on our Smoothwall Device. DNS is set to use FQDN and the PAC file has FQDN in it. Smoothwall is set to use Reverse DNS as required for Kerberos to work ok. Also if we set up a port in Smoothwall and manually point the client to it without using the PAC file Kerberos authenticates fine.

The Macbook receives 'Kerberos Authentication Fails' which suggests that DHCP and Smoothwall is working ok but the user credentials are not being passed through.

Could this be a problem with the PAC file?  Proxy.Pac attached
proxy.txt
0
Comment
Question by:James Wilkinson
  • 2
3 Comments
 

Accepted Solution

by:
James Wilkinson earned 0 total points
ID: 39791787
I managed to fix this with help from Smoothwall, it took nearly 3 months but we got there. The Pac file was returning the Netbios name for the smoothwall server and not the FQDN. Which was not allowing the Kerberos Ticket to pass through. We setup DHCP MAC Address Reservation and told smoothwall to use the IP Address Reservation for Kerberos Authentication by setting a Location in Smoothwall and specifying the Range.

All works great now :)
0
 

Author Closing Comment

by:James Wilkinson
ID: 39791788
Case is closed but many Network Engineers may find this useful if rolling out Apple and Microsoft Devices together and using Smoothwall as their Web Filter.
0

Featured Post

Are your end users making ugly email signatures?

Have you left it up to your end users to create their own email signatures? Are they forgetting to add the company logo or using garish font colors? Take control and ensure all users have the same email signature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now