Solved

Kerberos not working when clients use auto detect

Posted on 2013-12-22
3
1,887 Views
Last Modified: 2014-01-18
Our environment
Smoothwall set to use NTLM Auth for all clients except a range of IP's set in DHCP. The DHCP Range is excluded and clients are using MAC to IP Address Assignment. Smoothwall is set to apply Kerberos Authentication to MACBOOK Laptops by IP Address. We manually setup the MAC to IP Address in DHCP. The client selects Auto in the Proxy field and we use a PAC file hosted on our Smoothwall Device. DNS is set to use FQDN and the PAC file has FQDN in it. Smoothwall is set to use Reverse DNS as required for Kerberos to work ok. Also if we set up a port in Smoothwall and manually point the client to it without using the PAC file Kerberos authenticates fine.

The Macbook receives 'Kerberos Authentication Fails' which suggests that DHCP and Smoothwall is working ok but the user credentials are not being passed through.

Could this be a problem with the PAC file?  Proxy.Pac attached
proxy.txt
0
Comment
Question by:James Wilkinson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Accepted Solution

by:
James Wilkinson earned 0 total points
ID: 39791787
I managed to fix this with help from Smoothwall, it took nearly 3 months but we got there. The Pac file was returning the Netbios name for the smoothwall server and not the FQDN. Which was not allowing the Kerberos Ticket to pass through. We setup DHCP MAC Address Reservation and told smoothwall to use the IP Address Reservation for Kerberos Authentication by setting a Location in Smoothwall and specifying the Range.

All works great now :)
0
 

Author Closing Comment

by:James Wilkinson
ID: 39791788
Case is closed but many Network Engineers may find this useful if rolling out Apple and Microsoft Devices together and using Smoothwall as their Web Filter.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question