search cancel

Authentication prompts when browsing through Symantec Endpoint Protection Web Traffic Redirection to an internal proxy

book

Article ID: 174617

calendar_today

Updated On:

Products

Endpoint Protection Web Security Service - WSS

Issue/Introduction

All Web activity fails, and generates authentication prompts when connecting to an internal proxy server using Kerberos authentication when using the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) feature.

Cause

The SEP client WTR feature creates a Local Proxy Service (LPS), which listens on the loopback interface of the client computer and connects to the downstream proxy to fulfill the requests. When the downstream proxy requests authentication, the LPS relays the authentication request to the Web client. The Web client sees the request as coming from localhost (either 127.0.0.1, or ::1). Since Kerberos requires the requestor and grantor both use a fully-qualified domain name (FQDN), the authentication request is ignored. The current version of SEP WTR does not have the ability to proxy Kerberos requests.

Resolution

The SEP client WTR component is not compatible with Kerberos authentication. Instead, use one of the following:

  1. Use an alternate proxy authentication method for the affected client(s)
  2. Disable Web Traffic Redirection and specify the proxy using another method