To deploy Kerberos in this configuration you must:
- Set up a load balancing device in front of your appliances and designate a virtual IP address to use for all explicit proxy request. The load balancing device will then forward the requests to the ProxySGs in the group based on the load balancing rules you have defined.
- Create a DNS entry for the device that resolves to this IP address. Note that the DNS name that you use must not map to an existing machine account name in Active Directory or the ProxySG appliance will not be able to authenticate Kerberos service tickets and authentication will fail.
- Create an Active Directory account for the Kerberos load balancing user. This account does not need any special privileges. You will create the SPN using this account and the ProxySG appliances will use the account credentials to decrypt the service tickets from clients.
- Use the Active Directory account you just created to create an SPN for the for the load balancing group as follows:
- Open a command prompt as administrator on the Domain Controller.
- Enter the following command:
setspn –A HTTP/<Load_Balancer_FQDN> <AD_Account_Name>
where <Load_Balancer_FQDN> is the fully qualified domain name (FQDN) of the load balancing device and <AD_Account_Name> is the name of the Active Directory user you created for the load balancing group. Note that this command is case-sensitive.
For example, if the FQDN of the load balancing device is lb.acme.com and the Active Directory account name you created is KerberosLBUser, you would enter the following command:
setspn –A HTTP/lb.acme.com KerberosLBUser
Do not assign the same SPN to multiple Active Directory accounts or the browser will fall back to NTLM without providing any warning or explanation. To list all SPNs that are currently registered on an account, use the setspn -L <AD Account Name> command. If you find a duplicate, remove the extraneous SPN using the setspn -D <SPN> command.
- On each ProxySG, create an IWA Direct realm (see 000010216 for details). When configuring the realm on each appliance, you must provide the credentials for the AD Kerberos load balancing user you created. On the IWA Servers tab click Set credentials, enter the AD account User name and Password, and then click OK.
- Configure the client browser explicit proxy settings to point to the FQDN of the load balancing device.
NOTE: In some cases, you may want to use ProxySG's IP address as the value for Proxy IP address in the browser, in this case the ProxySG will return the following exception because it is expecting the request to be coming from load-balancer(lb.acme.com).
Your request could not be processed because of a configuration error:
"Either the realm has been
configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal."
For assistance, contact your network support team.
To prevent this issue:
Create a new DNS entry for the ProxySG interface IP that you want to use internet access.
After this operation you will have 2 DNS entry for Proxy access in DNS server. For example:
- for load balancer: lb.acme.com
- for ProxySG interface IP address: direct.acme.com
Add IWA Direct realm for real ProxySG interface IP address.
Note: You don't need to input "set credential".
Add new HTTP proxy port for real ProxySG interface IP for internet access.
This is very important when you want to use real ProxySG interface IP for internet access without error exception.
Set the new HTTP proxy port number in your browser's proxy port if you want to use direct access via ProxySG IP without load balancer. For example:
- Add the new http port as 8888 for real ProxySG interface IP use for as internet access.
- Change your browser's proxy IP as real ProxySG interface IP and port 8888.
- After setup, your browser use as port 8888 for internet via ProxySG without error exception.
The Port number 8888 is just example, you can also add another port not in use.
Add the real ProxySG interface IP access policy into Web Authentication Layer. You may have one of policy for load balancer access.
Add the new policy before the current load balancer policy.
- Add a rule to a Web Authentication Layer.
- Right click Source and select Set.
- Click New and select Proxy IP Address/Port.
- Specify the settings:
- IP Address: the ProxySG IP address
- Port: 8888