ProxySG & Advanced Secure Gateway

 IWA realm with Kerberos authentication not working.

Rad999's profile image
Rad999 posted May 27, 2022 08:21 AM
Hello guys,

I'm testing the following setup in the LAB:

BC SWG V-100 SGOS 6.7.5.12
Windows Server 2016 Standard, fully patched, acting as DC and running BCAAA agent 6.1.52

Domain user for BCAAA agent is set with the following rights:

Logon as a service
Act as part of the operating system 
Full rights to BCAAA agent installation directory

spn correctly setup for the FQDN and BCAAA user

No duplicate spn exist.

On the client I see the ticket for spn using klist.exe

However, the health check for iwa realm using kerberos authentication is still down saying:
The authentication agent could not communicate with its authority.

I'm not sure what authority means, but I assume KDC?

The iwa realm using NTLM works just fine.

I have tried everything and I'm out of ideas. I think I'm missing something on the DC for the BCAAA service.

Do you have any ideas please?

Thank you.
Phil Jones's profile image
Phil Jones posted May 30, 2022 06:35 AM
Hi

Did you follow this article and especially the Verifying the use of Kerberos section?


https://knowledge.broadcom.com/external/article/168161/configure-kerberos-authentication-for-pr.html

Pcap would help see what is happening.
Rad999's profile image
Rad999 posted May 30, 2022 09:06 AM
Hi Phil,

I followed the official SGOS admin guide. In your article there is one more step - add the proxy as computer into domain.

I did that but no change.

In the pcap on the client I see that the proxy is offering negotiate. As you can see Kerberos is not listed as the health check is down:


But I think the client is sending the Kerberos ticket anyway:


I don't think capturing between proxy and DC will have any benefit as that is proprietary over 16101.

On the DC in the event viewer, I see that the BCAAA user attempted kerberos authentication and requested service ticket.

I'm not sure where else to look.

Thank you.
Phil Jones's profile image
Phil Jones posted May 30, 2022 10:49 AM
Are you running the Proxy in Transparent or Explicit mode?
Phil Jones's profile image
Phil Jones posted May 30, 2022 10:55 AM
In the event that the browser/user agent and/or the BCAAA server are not configured properly for Kerberos, the proxy will downgrade to NTLM.

You mentioned the Admin guide, did you take a look at the Authenication guide?
Phil Jones's profile image
Phil Jones posted May 30, 2022 11:28 AM
The pcap looks like a transparent setup.
I think what you are seeing in the pcap is expected and the client showing it's using Kerberos is a good sign.

Check Page 57-83 - https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/SGOS_Auth_guide.pdf

The Health Check failing looks like a communication issue, I presume you ran the pcap during a Health Check test to capture the failure?
https://knowledge.broadcom.com/external/article/167375/index?page=content&id=TECH240878

You should be able type kerberos in the pcap display filter section too.
Running the pcap from the Proxy to the BCAAA and from the BCAAA to the Proxy needs to be checked

Rad999's profile image
Rad999 posted May 31, 2022 05:20 AM
Hi Phil,

This is explicit proxy setup.

I went through the documentation from your post again and did not find anything.

Capture between proxy and BCAAA looks good. I don't think there is any issue if NTLM authentication to the same DC works fine.


I found the following logs on the DC related to the BCAAA user, thrown each time I restart the BCAAA service:

I tried to fix this but I was not successful. I don't know if this error is RCA for my issue. Also, MS resources are confusing as some are saying it can be ignored and some it should not. 

I still think there is something wrong with the DC. I'm now trying to setup brand new DC to exclude any adjustments I did in the past on the existing DC.

Thank you.
Phil Jones's profile image
Phil Jones posted May 31, 2022 07:02 AM
From the documentation and the pcaps it looks like Kerberos is being used.

I don't think you see it on the Proxy pcap as the documentation states it's behind the scenes.
You see it from the Client to DC side pcap which yours shows the requests and the ticket.

In the Client pcap you had if you enter kerberos in the filter field at the top, do you see the requests, responses and the GET?
Also is there anything odd seen in the pcap if you select "Analyze > Expert Information" from the menu at the top?


The health check looks like another issue, hopefully someone else can clarify...