ProxySG performs Kerberos callouts even when Kerberos is not enabled in the authentication realm.

book

Article ID: 168594

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have observed the ProxySG reaching out on port 88 (possibly other ports depending on the configuration of the KDC) even though you do not use Kerberos for Client authentication.

Is this a potential problem and can be safely stopped?

Cause

The ProxySG appliance uses Kerberos to communicate to the DC for Schannel to pass NTLM credentials.

In effect, the ProxySG communicates to the domain using Kerberos even though Kerberos is not the client authentication method.

Disabling the Kerberos checkbox in the authentication realm simply stops 'negotiate' from being listed in the 407 from the proxy, and does not change the ProxySG's communication to the AD.

Stopping this traffic is not recommended as it would almost certainly disrupt authentication.

Resolution

Do not block or restrict the Kerberos communication from the Proxy to the AD