Error validating user via ntlm
This document is the extended Kerberos guide which includes full background and context.
If you do not have hours to read through this guide, please check out the simplified Kerberos guide: , please also check out the a tool meant to simplify the Kerberos setup process.
Web Gateway's kerberos library was updated to a more modern approach, where if the client presents a ticket, the Web Gateway will attempt to decrypt it using the availabe keys in the keytab.
This reduces the need to add other SPNs to the keytab. Install , in order to add SPNs to the keytab generated above (in my example the .keytab is in the /root folder).
Please note that the credentials can be specified in full LDAP syntax, alternatively you can use If you wish to use LDAPS you must do two things in order for it to work. Obtain and trust the certificates presented by the LDAPS server.
We will import an existing Ruleset from the Ruleset library in order to setup the framework needed to authenticate users.
LOCAL -mapuser mwg-kerb-user -pass password -ptype KRB5_NT_PRINCIPAL -out mandarin.vegas.local.keytab Example (Server 2008):ktpass -princ HTTP/[fqdn-of-appliance_lowercase]@[DOMAIN_UPPERCASE] -mapuser [USERNAME] -pass [PASSWORD] -ptype KRB5_NT_PRINCIPAL -crypto All -out [OUTPUT-FILENAME].keytabktpass -princ HTTP/[email protected]
LOCAL -mapuser mwg-kerb-user -pass password -ptype KRB5_NT_PRINCIPAL -crypto All -out mandarin.vegas.local.keytab As of version Web Gateway 7.3, there is no need to add additional SPNs via the CLI.
Transfer the resulting .keytab file back to your workstation (/root/mandarin.vegas.local.keytab).
In the event that you have multiple domains, it may be necessary to create users and generate keytabs on both domains.