Solved

Kerberos not working when clients use auto detect

Posted on 2013-12-22
3
1,791 Views
Last Modified: 2014-01-18
Our environment
Smoothwall set to use NTLM Auth for all clients except a range of IP's set in DHCP. The DHCP Range is excluded and clients are using MAC to IP Address Assignment. Smoothwall is set to apply Kerberos Authentication to MACBOOK Laptops by IP Address. We manually setup the MAC to IP Address in DHCP. The client selects Auto in the Proxy field and we use a PAC file hosted on our Smoothwall Device. DNS is set to use FQDN and the PAC file has FQDN in it. Smoothwall is set to use Reverse DNS as required for Kerberos to work ok. Also if we set up a port in Smoothwall and manually point the client to it without using the PAC file Kerberos authenticates fine.

The Macbook receives 'Kerberos Authentication Fails' which suggests that DHCP and Smoothwall is working ok but the user credentials are not being passed through.

Could this be a problem with the PAC file?  Proxy.Pac attached
proxy.txt
0
Comment
Question by:Wilkinson1546
  • 2
3 Comments
 

Accepted Solution

by:
Wilkinson1546 earned 0 total points
Comment Utility
I managed to fix this with help from Smoothwall, it took nearly 3 months but we got there. The Pac file was returning the Netbios name for the smoothwall server and not the FQDN. Which was not allowing the Kerberos Ticket to pass through. We setup DHCP MAC Address Reservation and told smoothwall to use the IP Address Reservation for Kerberos Authentication by setting a Location in Smoothwall and specifying the Range.

All works great now :)
0
 

Author Closing Comment

by:Wilkinson1546
Comment Utility
Case is closed but many Network Engineers may find this useful if rolling out Apple and Microsoft Devices together and using Smoothwall as their Web Filter.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now