How do I verify if Kerberos SPN is valid in an explicit proxy deployment?
Article ID: 168776
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
In an explicit proxy deployment, the client sends a Kerberos request (TGS Request), which contains a service principal name (SPN), to the Key Distribution Center (KDC). When the KDC receives the request, it either returns a service ticket or an error message to the client. The KDC returns a service ticket if the SPN is valid and an error message such as "unknown principal name" if the SPN is invalid.
Resolution
To verify if the SPN is valid for a client in an explicit proxy deployment:
- Verify that the browser is configured with the correct ProxySG hostname.
- In the command prompt of the client, enter the following command to clear the Kerberos ticket cache:
For windows: klist purge
For Mac: kdestroy - Start the PCAP on the client and attempt to authenticate to the ProxySG appliance.
- Stop the PCAP and examine the packets for the request to the KDC. Locate the SPN that the client requested, as well as the KDC’s response. If the SPN is invalid, you will see an error response.
- If the browser is not able to get the Kerberos token from the KDC, client/browser will proceed with NTLM authentication to the ProxySG.
Feedback
Yes
No
Powered by
