ISG proxy not utilizing the appliance name to establish a connection with the Windows domain.
Article ID: 276674
Updated On:
Products
Issue/Introduction
The ProxySG/ASG hardware appliance establishes a connection with the Windows domain by utilizing the specified appliance name. However, in the case of the ISG proxy, it deviates from this convention and establishes the connection with the Windows domain using the naming format SG-<serial_number>, rather than the appliance name.
Multiple ISG Proxies using the same hostname i.e. SG-<serial_number> cause failed Auth health check.
LSA debug log entries:
9639.433 KRB5-TRACE: init_creds_step_request() at get_in_tkt.c:1341:
9639.433 KRB5-TRACE: [-5746xxxxx] 17007xxxxx.158xxx: Getting initial credentials for [email protected]
9639.433 KRB5-TRACE: krb5_init_creds_init() at get_in_tkt.c:902:
9639.433 DEBUG: (null) - [LwKrb5GetTgtImpl() krbtgt.c:412] LwKrb5GetTgtImpl(),
Configured appliance name, and entries from Sysinfo:
!- BEGIN general
appliance-name "TEST_ISG_PROXY"
!- END general
Resolution
In ISG proxy it uses the default hostname ser for authentication in settings (under ProxySG GUI > Configuration > Authentication > Realms and Domains) as below:
If the custom hostname is not set it will use the default hostname i.e. SG-<Serial_number>. To set a hostname go to ProxySG GUI > Configuration > Authentication > Realms and Domains > Click Custom and enter the hostname. Refer the image above.
In case there are multiple ISG proxies in the same environment, and the hostname set for authentication is default then all the deployed ISG proxies will use the same hostname i.e. SG-<Serial_number> which can cause issues with Kerberos authentication as the TGT will be already renewed to another ISG proxy with same hostname which will result into KRB5 Error code: -1765328360 "Preauthentication failure".
Refer to sample LSA log entries below:
0003.119 Trusted domain list: Found unprovisioned mode config.
9940.678 TRACE: lsass - [ADSyncMachinePasswordThreadRoutine() machinepwd.c:442] Error: Failed to refresh machine TGT for RTDOMAU.LOCAL (error = 40022)
9940.678 TRACE: lsass - [ADSyncMachinePasswordThreadRoutine() machinepwd.c:433] ADRefreshMachineTGT() returned 40022 in ADSyncMachinePasswordThreadRoutine()
9940.678 TRACE: lsass - [ADRefreshMachineTGT() machinepwd.c:731] Error at machinepwd.c:731 code: 40022 (symbol: LW_ERROR_PASSWORD_MISMATCH)
9940.678 DEBUG: (null) - [LwKrb5InitializeCredentials() lwkrb5.c:518] [LwKrb5InitializeCredentials() lwkrb5.c:518] Error code: 40022 (symbol: )
9940.678 WARNING: (null) - [LwTranslateKrb5Error() lwkrb5.c:898] [LwKrb5GetTgtImpl krbtgt.c:436] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
9940.678 KRB5-TRACE: [-574618685] 1700730200.188248: Selected etype info: etype rc4-hmac, salt "", params ""
9940.678 KRB5-TRACE: get_etype_info() at preauth2.c:852:
9940.678 KRB5-TRACE: [-574618685] 1700730200.188247: Processing preauth types: 11, 19
9940.678 KRB5-TRACE: k5_preauth() at preauth2.c:1030:
9940.678 KRB5-TRACE: [-574618685] 1700730200.188246: Preauthenticating using KDC method data
9940.678 KRB5-TRACE: init_creds_step_request() at get_in_tkt.c:1386:
9940.678 KRB5-TRACE: [-574618685] 1700730200.188243: Received error from KDC: -1765328360/Preauthentication failed
9940.678 KRB5-TRACE: init_creds_validate_reply() at get_in_tkt.c:1139:
9940.678 KRB5-TRACE: [-574618685] 1700730200.188242: Response was from master KDC
Feedback
