Set up the Windows environment
To function properly in Microsoft Windows environments, Kerberos requires certain conditions on both the client and the Domain Controller. Before configuring any Broadcom elements in the network, ensure that the following Windows components are in order:
- Set up a valid Active Directory (AD) environment. All clients must be part of this AD domain to use Kerberos. If the client is not part of the domain, the only option is to use constrained Kerberos delegation. See Configuring Kerberos Constrained Delegation (KCD).
- The Edge SWG (ProxySG) appliance must have a valid DNS "A record" entry (a CNAME does not work). In this example scenario, we create a DNS "A record" for the Edge SWG (ProxySG), mapping the Hostname/FQDN to the IP address:
In this example, the Hostname "proxysg" and FQDN of "proxysg.davidv.local" maps to the IP address of 10.91.25.10.
Use the NSLOOKUP tool to check that the clients use this DNS server. Next, ping both the Hostname and FQDN of the Proxy looking for the properly resolved IP address.
Configure authentication on Edge SWG (ProxySG)
The following two ways can be used to get authentication working on Edge SWG (ProxySG):
- Direct join the Edge SWG (ProxySG) (recommended)
- Use legacy BCAAA
Setting up Direct Join with Edge SWG (ProxySG) (Recommended)
- Set the Primary DNS server on the Edge SWG (ProxySG) as the AD domain DNS Server
- Configuration > Network > DNS
- Set NTP on the Edge SWG (ProxySG) to be the same time as the AD Domain
- Configuration > General > Clock
- Go to Configuration > Authentication > Windows Domain > Enter the Hostname of the Edge SWG (ProxySG) resolvable in DNS
- Apply Change
- Go to Configuration > Authentication > Windows Domain > Click Add New Domain
- Create Name for the Domain Alias
- Apply Change
- Go to Configuration Tab > Authentication > Windows Domain > Click on Named Domain Alias > Click Join
- Enter in the DNS server to query
- Enter Username and Password for service account with Admin Privileges
- Click OK
Note: If any issue, please refer to these references:
ProxySG First Steps WebGuide - Configure IWA Direct
SGOS Administration Guide (6.7.x)
Authentication WebGuide (6.5.x and later)
Setting up the BCAAA Components
- Create credentials for a Domain User that BCAAA uses. In this example we create a new user "BCAAA user" in the AD domain.
Download and install the version of the BCAAA executable that is provided with the version of SGOS that is on the Proxy. These both can be found in the MySymantec website (Note: Symantec credentials required).
During the setup of the BCAA installation, it is acceptable to use the BCAAA setup defaults.
Open "services.msc", and locate the BCAAA service. Edit the service's properties and ensure that under the "Log On" tab, the BCAA domain user is set. Restart the service:
- During the user creation process, untick "User must change password" option.
- Open the group policy object editor: Computer configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Act as part of the operating system. Add the BCAAA user here.
- Open the group policy object editor: Computer configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service. Add the BCAAA user here.
- Refresh the Group Policy Object by executing the command "gpupdate" on the command line
5. Set up an IWA realm on the Edge SWG (ProxySG) appliance, under "Configuration > Authentication > IWA". Enter the correct IP of the BCAAA server, and ensure that "Allow Kerberos credentials" is ticked:
6. Set up a web authentication layer with the action being "Authentication using Proxy / ProxyIP" using the IWA realm:
7. That is all that is required on the Edge SWG (ProxySG) side. Most of the configuration is Windows-related, as is most of the troubleshooting of any problems that may arise.
Post-Setup: Setting Up the Windows Environment
- Add the Edge SWG (ProxySG) hostname to the "Computers" section in AD:
Open a command prompt as Administrator on the Domain Controller and register the SPN for the BCAAA service by using the following command (case sensitive):
- Note: This entry MUST match the DNS entry
- setspn -A HTTP/proxysg.davidv.local BCAAAuser
- Where "proxysg.davidv.local" is the FQDN of the ProxySG, and BCAAAuser is the AD User the BCAA service is used for logon.
Please note: It's possible to associate multiple Service Principal Names to the User account that the BCAAA service runs as. Hence, It's possible to have multiple Edge SWG (ProxySG) sharing the same BCAAA service. It's possible to run the setspn command multiple times and associate different service names with the same BCAAA account. Yet the command cannot register the same SPN to more than one account. Microsoft Windows does not throw an error if it occurs. Manually check to make sure that the SPN is not registered twice by using the setspn -l command. Remove any overlapping SPNs by using the setspn -d command.
Post-Setup: Setting up the client environment (Explicit Proxy ONLY)
- IE7+ or Mozilla Firefox. For either, set the browser to use the Hostname/FQDN of the proxy when explicitly configured:
The following steps were performed with IE:
- Under Tools > Internet Options > Advanced, scroll to the bottom of the list and ensure that the option Enable Integrated Windows Authentication is enabled. IE only uses Kerberos to sites that are in its "intranet zone". Under Internet Options > Security > Local intranet > Sites > Advanced, add the Edge SWG (ProxySG)'s FQDN:
Verifying the use of Kerberos:
There's no way of forcing the use of Kerberos. By default, the clients first try using Kerberos, and if a failure occurs it downgrades to using NTLM for authentication. There's no way of disabling NTLM. It only ensures that the conditions are correct to favor Kerberos over NTLM.
- Ensure that the proxy sends out the "Negotiate" option when asking for authentication, most easily seen in a packet capture on the client:
The NEGOTIATE method by itself does not guarantee the client uses Kerberos. NEGOTIATE gives the client the option of either Kerberos or NTLM
2. Ensure that the client uses Kerberos in one of three ways:
- From the client packet capture. Use the Wireshark display filter "Kerberos". It's possible to see both the authentication requests from the client to the Domain Controller, as well as the Kerberos ticket that is included in the HTTP GET request:
- Using the Event Viewer on the Domain Controller, under the security logs, it's possible to see two successful authentication events of type "Account Logon". The keyword to look for is "ticket":
- Download the utility "kerbtray", available from Microsoft:
Note: In explicit proxy deployments, the previously mentioned Kerberos authentication works for both HTTP and HTTPS site authentication. The packet capture shows the evidence (notice the CONNECT request precedes Kerberos traffic).