Learn how to configure Kerberos authentication in a Symantec ProxySG or Advanced Secure Gateway (ASG) environment.
The following two ways can be used to get authentication working on ProxySG:
Note: If any issue, please refer to these references:
Please note: It's possible to associate multiple Service Principal Names to the User account that the BCAAA service runs as. Hence, It's possible to have multiple ProxySG's sharing the same BCAAA service. It's possible to run the setspn command multiple times and associate different service names with the same BCAAA account. Yet the command cannot register the same SPN to more than one account. Microsoft Windows does not throw an error if it occurs. Manually check to make sure that the SPN is not registered twice by using the setspn -l command. Remove any overlapping SPNs by using the setspn -d command.
Note: In explicit proxy deployments, the previously mentioned Kerberos authentication works for both HTTP and HTTPS site authentication. The packet capture shows the evidence (notice the CONNECT request precedes Kerberos traffic).