juniper SA4500, IVE 6.5R7
I'm trying to sallow access to a web server (Web bookmark) that users Kerberos to authenticate users.
My kerberos SSO settings all work fine if I try accessing the server by its AD name (http://server.domain.local), but if I try using different host headers (eg http://esupply.domain.local) for the web resource kerberos fails. I am not using constrained delegation on juniper.
Internally, accessing http://esupply.domain.local directly, I get a kerberos ticket for HTTP/server.domain.local
Doing it through Juniper, the Kerberos Request is for HTTP/esupply.domain.local, which fails with "Principal Unknown".
How do I tell Juniper to request the ticket with a different principal name to the server name specified in the URL resource?
How is your kerberos policy configured: server.domain.local or esupply.domain.local?
Is this cross-realm auth?
What is the domain you have configured on your domain/realm on the general tab?
Under the Basicauth/NTLM/Kerberos policies general tab, my Kerberos SSO details are:
site name: blank
Pattern match: *
KDC: (IP address of my domain controller / KDC)
Credential type: system
(no fallback to NTLM)
the policy trace says applying the (correct) kerberos policy - which works fine if I use the proper server name, but not the alias.
I was hoping to get away from ahving to register new Server Principal Names in AD for the aliases, but I guess I'll just have to