juniper SA4500, IVE 6.5R7
I'm trying to sallow access to a web server (Web bookmark) that users Kerberos to authenticate users.
My kerberos SSO settings all work fine if I try accessing the server by its AD name (http://server.domain.local), but if I try using different host headers (eg http://esupply.domain.local) for the web resource kerberos fails. I am not using constrained delegation on juniper.
Internally, accessing http://esupply.domain.local directly, I get a kerberos ticket for HTTP/server.domain.local
Doing it through Juniper, the Kerberos Request is for HTTP/esupply.domain.local, which fails with "Principal Unknown".
How do I tell Juniper to request the ticket with a different principal name to the server name specified in the URL resource?
cheers
Mike
How is your kerberos policy configured: server.domain.local or esupply.domain.local?
Is this cross-realm auth?
What is the domain you have configured on your domain/realm on the general tab?
Under the Basicauth/NTLM/Kerberos policies general tab, my Kerberos SSO details are:
Realm Definition
realm: DOMAIN.LOCAL
site name: blank
Pattern match: *
KDC: (IP address of my domain controller / KDC)
IVE Intermediation
Label: esupply
realm: DOMAIN.LOCAL
Credential type: system
SSO Policy
resources: http://esupply:80
http://esupply.domain.local:80
Action: Kerberos
Credential: esupply
(no fallback to NTLM)
Web bookmark
What does your policy trace say when you trace kerberos sso actions?
the policy trace says applying the (correct) kerberos policy - which works fine if I use the proper server name, but not the alias.
I was hoping to get away from ahving to register new Server Principal Names in AD for the aliases, but I guess I'll just have to
ho hum
thanks
mike