cancel
Showing results for 
Search instead for 
Did you mean: 

Constrained Delegation issues

Balcee76
New Contributor

Constrained Delegation issues

Hi guys

 

I'm having issues configuring constrained delegation for users who are attempting to access a web resource via the Pulse.

 

Working from the following document:

https://www-prev.pulsesecure.net/download/techpubs/current/415

 

Authentication is stalling at page 20 where a second authentication box is appearing. Has anyone seen this before and what can I do to remove this authentication box?

 

From the Pulse logs, I see this entry:

Fetch Kerberos TGT for user ramoss, realm NETWORK.INTERCAR.COM failed: Credential validation failed against ukdcvdc25.NETWORK.INTERCAR.COM

 

Thanks very much, any help would be greatly appreciated.

3 REPLIES 3
r@yElr3y
Moderator

Re: Constrained Delegation issues

@Balcee76 Failed to fetch TGT meaning there's no user with that username present in the Kerberos realm.

 

Please confirm if the username is valid and it's a valid account with samaccountname attribute present that matches with the username.

PCS Expert
Pulse Connect Secure Certified Expert
Balcee76
New Contributor

Re: Constrained Delegation issues

Thank you for your reply. AD administrators have checked and all checked out. The system is setup with MFA. When a user browses to https://clientservices.network.intercar.com, they are met with a SecureAuth SSO login box.


User logs in with the AD credentials and is presented with the Pulse landing page. From there, they click on the web resource and the secondary authentication box appears. They're allowed to access if they enter the credentials, but ideally we don't want to see it.

 

Any further advice would be gratefully received.

 

THanks

r@yElr3y
Moderator

Re: Constrained Delegation issues

@Balcee76  Is it possible to test the setup using the Kerberos utility present within the VPN server admin interface? 

 

Reference - https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Using%20the%20Kerberos%20Debuggi...

 

  • Kerberos Client --- Username of the user who'd be accessing the web resource.
  • Delegation Account -- Username of the kerberos service account.
  • Server --- Web resource URL
  • Client Realm -- Kerberos realm of the user account i.e., domain name XYZ.COM
  • Server Realm (Optional) 
  • Client KDC --- AD server that's hosting the domain.
  • Server KDC (Optional)
  • Password -- Password of the delegation service account.
PCS Expert
Pulse Connect Secure Certified Expert