Error validating user via ntlm Sexethiopia
You will then need to merge the keytab before importing into the Web Gateway, this will allow the Web Gateway to authenticate users in multiple domains.
We will import an existing Ruleset from the Ruleset library in order to setup the framework needed to authenticate users.
The syntax can vary based on security restrictions within your domain, and based on your domain controller type (2003/2008).
Example (Server 2003):ktpass -princ HTTP/[fqdn-of-appliance_lowercase]@[DOMAIN_UPPERCASE] -mapuser [USERNAME] -pass [PASSWORD] -ptype KRB5_NT_PRINCIPAL -out [OUTPUT-FILENAME].keytabktpass -princ HTTP/[email protected]
In order to get the groups we must add a rule after the "Authenticate with Kerberos" rule.
If the authentication is successful, then we use the property of "Authentication.
LOCAL -k 4 -e AES256-CTS bc1b21c47f6ae9c16afe8f033ed2a9236af1b4c5031761a091d635304300e6bc add_entry -key -p HTTP/[email protected]
In the event that you have multiple domains, it may be necessary to create users and generate keytabs on both domains.
This ruleset is the framework for which we can mold to our needs.
Prior to adding the ruleset, you must solve any existing conflicts that may exist.
Within your Kerberos engine settings, you must enable the option for "Extract group membership IDs from the ticket" and "Lookup group names via NTLM".
You must set both options in order to reference groups by name, otherwise if "Lookup group names via NTLM" is unchecked, you can only use the SID of the group (which isnt very memorable).