Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WSAM and Kerberos

hadar_
Occasional Contributor
‎09-11-2008 04:03:PM
‎09-11-2008 04:03:PM

WSAM and Kerberos

Has anyone figured out how to get Windows kerberos and WSAM to work together. I am running 6.0r5 and it just doesn't want to work. I tried forcing the kerberos to use TCP and not UDP on the desktops, but it still didn't work. One of the things I noticed was that DNS queries for kerboros were being sent to the external DNS server and so they didn't get the right answer back.

0 Kudos
7 REPLIES 7
Kevin_
Contributor
‎09-12-2008 11:55:AM
‎09-12-2008 11:55:AM

Re: WSAM and Kerberos

What exactly isn't working? I've had problems with kerberos over NC - drives not mapping in some cases. That ended up being the size of the kerberos packet that is returned to the server. Changing to kerberos over TCP on the client fixed my problem.
0 Kudos
dcvers_
Regular Contributor
‎09-15-2008 03:26:AM
‎09-15-2008 03:26:AM

Re: WSAM and Kerberos

I tried for several months to get Kerberos and SMS to work with WSAM but was not successful. The problem we found was that is DNS SRV requests where not being forwarded by WSAM. There was also a Connectionless LDAP (CLDAP) request that was not being forwarded by WSAM. The really annoying thing is Kerberos itself does work via WSAM but it can't get started because of the DNS issue.
0 Kudos
hadar_
Occasional Contributor
‎09-15-2008 06:58:AM
‎09-15-2008 06:58:AM

Re: WSAM and Kerberos

I saw the same thing when I ran wireshark on my test box and saw the DHS calls going out to the public DNS server and not internally. I wonder if there is a way to force the DNS to forward those requests internally.
0 Kudos
fild_
Occasional Contributor
‎02-10-2010 03:47:AM
‎02-10-2010 03:47:AM

Re: WSAM and Kerberos

Does anyone have the same problem? I have similar problem on version 6.5r2. Is there any ticket open?

To be more concrete. Outlook is not working with WSAM, but works with NC and after successful NC session Outlook will run with WSAM.

It looks like the kerberos is switched back to NTLM. I dont know, why there is kerberos, because I have NTML in the Outlook preferences...

0 Kudos
zanyterp_
Respected Contributor
‎02-14-2010 01:04:AM
‎02-14-2010 01:04:AM

Re: WSAM and Kerberos

@hadar: Kerberos over WSAM is available in 6.4 and later only. You need to enable the standard WSAM application (6.4 and later only) called "Domain Authentication" and then define all your DCs as allowed servers in order to allow the WSAM application to capture the kerberos-based traffic. Previous versions do not contain the ability to capture the data.

@fild: do you see WSAM capturing the traffic successfully for Outlook? if you look at the events log tab on the WSAM application (WSAM UI>Advanced>Event log) do you see any access denied/ACL check failure messages? Are you expecting Kerberos- or NTLM-based auth for Outlook? Do you have all DCs/Exchange servers enabled as WSAM destinations? Are you using the WSAM application "Domain Authentication" as well as the Outlook application?

0 Kudos
fild_
Occasional Contributor
‎02-19-2010 06:33:AM
‎02-19-2010 06:33:AM

Re: WSAM and Kerberos

Yes, there are all the access right, NTLM is set as the auth method in outlook. The the best thing - it was working and it stopped. Maybe from upgrade to 6.5r2 ?? I can connect via NC and there are some kerberos packets. I can then run WSAM and connect to outlook. Than again NC. Success. But no kerberos packets...

So it looks like that Exchange server wants Kerberos for some reason and Kerberos is not working. When connecting via LAN or NC - it will try Kerberos and then ntlm. And ntlm will be OK.

I can also see denied in wsam logs...

0 Kudos
zanyterp_
Respected Contributor
‎02-19-2010 06:56:AM
‎02-19-2010 06:56:AM

Re: WSAM and Kerberos

@fild: can you paste the access denied message here or what server is being denied? Can you confirm that the server that you are seeing the deny for is allowed in the SAM ACL? Do you have the "domain authentication" application defined for WSAM as well?

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.