Kerberos authentication fails against ProxySG with error: "wrong Kerberos service principal"

book

Article ID: 170570

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When using the ProxySG, the Kerberos authentication does not work.

In the Policy_Trace on the ProxySG:

EXCEPTION(configuration_error): Authentication failed because of a configuration problem
Last Error: Either the realm has been configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal

 

In the user's browser:

Cause

The HTTP Service Principal Name (SPN) of the ProxySG is missing in the Key Distribution Center (KDC).

Resolution

Connect to your Active Directory Server (which is your KDC) and update the SPN registry of the ProxySG:

  • List your all the SPNs of the ProxySG and confirm the HTTP SPN is missing

setspn -l <insert your proxysg name>

  • Add the new SPN for HTTP

setspn -s http/<insert your proxysg name with FQDN> <insert your proxysg name>

  • Verify that the new HTTP SPN is listed for the ProxySG

setspn -l <insert your proxysg name>

 

Attachments