SSL VPN
Reply
New User
hadar
Posts: 5
Registered: ‎05-01-2008
0

WSAM and Kerberos

Has anyone figured out how to get Windows kerberos and WSAM to work together. I am running 6.0r5 and it just doesn't want to work. I tried forcing the kerberos to use TCP and not UDP on the desktops, but it still didn't work.  One of the things I noticed was that DNS queries for kerboros were being sent to the external DNS server and so they didn't get the right answer back. 

 

Contributor
Kevin
Posts: 35
Registered: ‎01-01-2008
0

Re: WSAM and Kerberos

What exactly isn't working?  I've had problems with kerberos over NC - drives not mapping in some cases.  That ended up being the size of the kerberos packet that is returned to the server.  Changing to kerberos over TCP on the client fixed my problem.
Trusted Contributor
dcvers
Posts: 160
Registered: ‎11-16-2007
0

Re: WSAM and Kerberos

I tried for several months to get Kerberos and SMS to work with WSAM but was not successful. The problem we found was that is DNS SRV requests where not being forwarded by WSAM. There was also a Connectionless LDAP (CLDAP) request that was not being forwarded by WSAM. The really annoying thing is Kerberos itself does work via WSAM but it can't get started because of the DNS issue.
New User
hadar
Posts: 5
Registered: ‎05-01-2008
0

Re: WSAM and Kerberos

I saw the same thing when I ran wireshark on my test box and saw the DHS calls going out to the public DNS server and not internally.  I wonder if there is a way to force the DNS to forward those requests internally.
Visitor
fild
Posts: 6
Registered: ‎05-07-2009
0

Re: WSAM and Kerberos

Does anyone have the same problem? I have similar problem on version 6.5r2. Is there any ticket open?

 

To be more concrete. Outlook is not working with WSAM, but works with NC and after successful NC session Outlook  will run with WSAM.

 

It looks like the kerberos is switched back to NTLM. I dont know, why there is kerberos, because I have NTML in the Outlook preferences...

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: WSAM and Kerberos

@hadar: Kerberos over WSAM is available in 6.4 and later only. You need to enable the standard WSAM application (6.4 and later only) called "Domain Authentication" and then define all your DCs as allowed servers in order to allow the WSAM application to capture the kerberos-based traffic. Previous versions do not contain the ability to capture the data.

 

@fild: do you see WSAM capturing the traffic successfully for Outlook? if you look at the events log tab on the WSAM application (WSAM UI>Advanced>Event log) do you see any access denied/ACL check failure messages? Are you expecting Kerberos- or NTLM-based auth for Outlook? Do you have all DCs/Exchange servers enabled as WSAM destinations? Are you using the WSAM application "Domain Authentication" as well as the Outlook application?

Visitor
fild
Posts: 6
Registered: ‎05-07-2009
0

Re: WSAM and Kerberos

Yes, there are all the access right, NTLM is set as the auth method in outlook. The the best thing - it was working and it stopped. Maybe from upgrade to 6.5r2 ?? I can connect via NC and there are some kerberos packets. I can then run WSAM and connect to outlook. Than again NC. Success. But no kerberos packets...

 

So it looks like that Exchange server wants Kerberos for some reason and Kerberos is not working. When connecting via LAN or NC - it will try Kerberos and then ntlm. And ntlm will be OK.

 

I can also see denied in wsam logs...

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: WSAM and Kerberos

@fild: can you paste the access denied message here or what server is being denied? Can you confirm that the server that you are seeing the deny for is allowed in the SAM ACL? Do you have the "domain authentication" application defined for WSAM as well?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.