Jamf Nation Community

swaroopmj · ‎03-30-2015

I'm new to JSS and currently running v9.63. We have bluecoat proxies which run on version 6.2.15.

When I look into the ticketviewer I see that there is a valid kerberos ticket. I am able to use SMB with SSO. As soon as I login I see a proxy authentication prompt on my Mac. When I launch the browsers (Chrome, Safari) I get prompted again for the proxy authentication.

I ran pcap and see that kerberos errors "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ". I verified the reverse PTR records of the proxy servers in the pac file and they all seem to resolve to a valid hostname. Only difference is multiple IPs resolving to the same hostname.

Does anyone encountered this issue before? Also, is there any known pitfalls of getting kerberos to work with bluecoat.

FritzsCorner · ‎03-30-2015

We have Kerberos up and running with Bluecoat in our shop. I can't tell you what version we are on, but I think it is a pretty current release (I will check with our Proxy Admin). In our environment though we are using WCCP to direct the clients on our network to the proxy and not using a PAC file.

However we recently discovered that there is an issue with Safari not always providing the Kerberos token to the blue coat proxy when Mac's Manually configured to connect to the proxy explicitly over port 9090 (Not via WCCP). When Safari periodically does not provide the Kerberos token the proxy will return an “authentication_failed” exception page to the browser. If we just refresh the page the Kerberos token is sent to the proxy and the page will load just fine. This appears to only be isolated to Safari though. When we tested this using the Chrome browser on the Macs and this issue does not occur. Blue Coat Support was able to confirm that the browser is not sending the Kerberos token on every query to a new site to the proxy. We have upgraded Safari to the latest version and the issues still exists. I am in the process of opening a ticket with Apple Professional services for this issue and will post an update when I get more info.

While this is not exactly what you are seeing, I thought I would share our experience in getting the Mac setup with Bluecoat in the event it could help you in any way.

swaroopmj · ‎03-30-2015

Thanks for the response. I have the Kerberos issue in Chrome as well. It is very sporadic though. Sometimes it works but most times I will see a authentication prompt. I will check with our network guys about WCCP.

Ours Macs are AD bound and the PAC file URL we are using is also used by all our managed devices. One of the suggestion was to have a smb mount on login and see if that forces all the other communications which are set to negotiate use the kerberos ticket.

FritzsCorner · ‎03-31-2015

If you have an Apple Professional Services or support contract you may want to ask about an Apple in-house utility called "Renew Kerberos". It is a small utility that will sync your password to your keychain and then renew your kerberos tickets using the keychain so you don't have to enter your credentials again. Unfortunately, Apple asked that we not share this outside our organization so it's not something I can post a link to.

To your comment on mounting an SMB drive on logon, we do that as well. We have a custom logon script that will detect if the computer is on our corporate network, and if it is, it will continue to mount the users home drive as well as any other assigned shared folders they may have. If a kerberos ticket is not found, the script will launch the Renew Kerberos utility and then continue to mount the drives.

swaroopmj · ‎04-01-2015

I will look into the custom script trigger and the Renew Kerberos utility and let you know if it works for us. Thanks for your help

MS2020 · ‎11-23-2021

Bump anyone else having similar auth issues with blue coat and Kerberos?

Jamf Nation Community

Kerberos issues with bluecoat proxy