cancel
Showing results for 
Search instead for 
Did you mean: 
dietrichdrum
Level 7

MWG Proxy HA Kerberos SPNs

Jump to solution

I am working to setup Kerberos authentication in a Proxy HA configuration. I set the hostname in the SPN to be the hostname of the VIP of the Proxy HA. In the authentication debug logs I get the 'Wrong Principal in Request' error for Kerberos. Do I need to add SPNs for each individual proxy device?

0 Kudos
1 Solution

Accepted Solutions
bgartama
Level 9

Re: MWG Proxy HA Kerberos SPNs

Jump to solution

Correct. You need to add an SPN for all proxy devices you intend to use to the user.

0 Kudos
4 Replies
bgartama
Level 9

Re: MWG Proxy HA Kerberos SPNs

Jump to solution

Correct. You need to add an SPN for all proxy devices you intend to use to the user.

0 Kudos
dietrichdrum
Level 7

Re: MWG Proxy HA Kerberos SPNs

Jump to solution

Does the keytab need to be regenerated after modifying the SPN? I added the SPNs, but still cannot authenticate.

0 Kudos
McAfee Employee

Re: MWG Proxy HA Kerberos SPNs

Jump to solution

Did you modify the keytab or the user to add the SPN (you should only need to modify the user)? In either case you shouldnt need to regenerate the keytab.

Also what was the command you used to generate the initial keytab? I had another customer generating the keytab with the -setupn flag, and it gave the same error.

Best,

Jon

0 Kudos
dietrichdrum
Level 7

Re: MWG Proxy HA Kerberos SPNs

Jump to solution

The issue was resolved. Our AD guy changed the crypto parameter and Kerberos now authenticates. Not sure what command he used, but I think he followed the procedure on the community guide for Kerberos.

Thanks all for the help!

0 Kudos