I have a BlueCoat ProxySG that is able to authenticate users via Kerberos. It is set to "Proxy" so it requires user authentication for each new TCP connection. Users have a Single Sign On and their PC's automatically pass their Windows login credentials when prompted by network services. The issue, is that on a site with many background connections (www.bbc.com in this case), the user will begin receiving popups for credentials after so long (Most of the page and pictures have already loaded by this time). I believe this happens to every user using this site.
In a packet capture from the User's PC, Kerberos authentication seems to be working on every connection attempt (GET and CONNECT requests) as the user passes the service ticket properly with the GET/CONNECT requests. But all of a sudden begins reaching out to the KDC for a new service ticket…. in which case it actually errors with a PRE_AUTH_REQUIRED error and has to get a new KRBTGT from the KDC before attempting the TGS_REQ for the proxy again. This is when the popups for credentials seem to happen.
- My understanding is that the service ticket is stored in the user's Kerb tray and can be reused until it needs to be renewed (as noted by the renew date on the ticket itself). Is this correct understanding?
- Why would the proxy all of a sudden require a different ticket?
- The BlueCoat ProxySG is supposed to automatically fall back to NTLM when Kerberos does not work, why isn't it doing so? (NTLM works fine when not using Kerberos as primary method of authentication)
Thanks in advance!
Best Answer
The issue, as it turns out, was not with Kerberos at all. There are two authentication realms setup - 1 for IWA Direct and 1 for IWA BCAAA. The BCAAA realm does not have kerberos authentication. While connecting to bbc.com, the user authenticates using the Kerberos realm. Due to the authentication process being set to proxy, it requires authentication on every new connection attempt. However, a background URL on BBC's website (probably some ad site) was hitting another authentication policy rule that is listed before the Kerberos authentication policy rule. It was set to Proxy IP (auth every 15 minutes using an IP surrogate) and only NTLM and Basic authentication were available. Thus it was presenting an authorization popup as the rest of the site sessions were being authorized by the Kerberos realm.