Scope: With previous setups, new setups or even site issues, all firmware version of Web filter(WYF) used and KDC?s (Key distribution center domain controllers).
In order to use Kerberos, The customer should have Kerberos enabled on the DC, next the WYF needs to be a part of the domain by FQDN-hostname, the time must be within 5 minutes of each device used (DC/WYF/PCnode)- time is crucial! After that, tickets are the next concern with time also as crucial! The use of a short name may be helpful in the existing authentication service Kerberos advanced option settings, Test join is not a 100% it should work, as this also does not constitute a problem with the web filter in general.
Most tests will be performed from the CLI of the WYF while some items are client specific. Please verify this is not a domain login pop up for the user, being unable to authenticate to Kerberos directly.
1. Client PC, please verify that the Times are all good between devices or if NTP is set differently from the WYF or DC.
2. Technician needs to also verify database, logging, date, NTP, time zone; all match up in time also.
3. Client PC, Please verify clearing of Kerb tickets. Use of klist and klist purge to clear any cached Kerberos tickets. Log Client PC off and back onto the domain to test, Clear cache also, see solution# 6392, and time is correct.
4. Technician needs to help verify DNS setting (Basic>Ipconfig page) with Kerberos and hostname use the DNS needs to be Internal DNS NO cache and Force local Set. DNS must be fast also and able to resolve both ways.
5. Kerberos like NTLM authenticates the user in the domain and then passes the credentials via the browser when requesting anything. So the Browser needs to be set correctly for Proxy setup per Techlib article How to Configure Kerberos Authentication
Previous of 8.0 firmware used port 3128 for hybrid and ldap used 8080, in 7.x we needed to allow 8080 as necessary; In 8.X we use 3128 specifically for proxy only. v8.1.0.001 has released ability to handle Hybrid authentication properly.
Also reference as needed, the Kerberos setup solution# 3975
Link To This Page: