Kerbereos authentication on microsoft direct access and forticlient

Forum|Forum|7 years ago
May 16, 2019
1 reply
3879 views

Hello, for a customer I have configured kerberos authentication over explicit proxy. When the customer is in the LAN kerberos authentication works fine, the user and the AD-group membership is recognized by the fortigate. When the user is working over microsoft direct access server, the user on the direct access server is recognized but not the AD group membership of the user. It is the same behaviour, when the user is connected over forticlient ipsec-vpn. The user and the client ip address is recognized but not the AD-group membership.

Does anybody has an idea? Is there some config missing? Thanks Judit

juditAuthor

New Member

I have found the solution on google:

Turns out that this was a problem with Windows Kerberos using UDP. There was a registery hack we had to make on all systems that forced kerberos to use TCP. This corrected the issue. Please check MS tech note Q244474 entitled " How to force Kerberos to use TCP instead of UDP" . https://support.microsoft...tead-of-udp-in-windows

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded