I am a novice to the Pulse secure SSL VPN administration . My company is using Jonus pulse 9.1R4 (build 4763) and are using LDAP authentication. I am trying to achive that when a Dial in user authenticates , the user will be able to authenticate using kerberos on a LAN server (website).
Looking in the IISlogs the user is authenticated using NTLM but this will give us double hop issues .
Can anyone give me some guidance on how to configure this ? Or should we abandon LDAP ?
Thanks in advance,
How the users are accessing the IIS website post connecting to VPN? Do they click on a web bookmark provisioned on the web portal or access it directly by typing the URL on the browser, which would be taken care with the help of Layer-3 tunnel?
If the users are connecting to VPN using Pulse Client and establishing L3 tunnel, then Kerberos authentication to the IIS site should be working without any extra configurations on the VPN server if the user machine is domain-joined i.e. belongs to the same domain as the IIS service and the IIS service authentication is set to Negotiate, which I believe it is already.
If the users are connecting to VPN using web browser and accessing the web server through conigured bookmark, then below things are applicable:
Per my understanding, Kerberos would be used if we authenticate to the VPN server using AD auth instance instead of using LDAP instance, If you can't make the users to use AD for various other reasons, then configuring Kerberos Delegation is the suitable way of accessing a Kerberos protected resource (IIS service) when the users is not authenticated to VPN using AD (kerberos),
Kerberos Constrained Delegation - https://www-prev.pulsesecure.net/download/techpubs/current/415
Please let me know if this does not help you.
Thank you for your reply , I trying to kerberos to work for user that do not connect using a domain joined workstation. The users are using the webportal and the pulse secure client, every time the user is connected using ntlm and will cause the double hop issue to occur.
Is there a way around this ?
Kerberos will not be used if the users are using Pulse Client connection (L3 tunnel) and accessing the application directly from the browser, by design, NTLM would be used, however we can make it work using Kerberos delegation if they accessing the web application through VPN rewrite.