Websense iApp Kerberos Config

It says the following in the iApp deployment guide:

• Kerberos Authentication: If your Websense Content Gateway is configured to authenticate users using Kerberos, you must apply a special configuration to your gateway cluster so that it can be seen with a common name to your authentication server infrastructure. If you need this configuration, you should contact Websense Support for assistance.

If you do contact Websense Support for assistance, I am interested to know what you find out.

If I may add, I haven't seen the resulting config, but given that the documentation doesn't mention APM (or ACA) I have to assume Kerberos is performed in pass through. That means that the client is likely still making the initial Kerberos request and passing the ticket through the F5 to Websense. That should work, but the address that the client uses to access the F5 VIP must be the same name they would otherwise use to access Websense directly. Kerberos is highly dependent on names (service principal names), and a browser will make a request to the KDC based on the name used to access the resource. This all ties back to encryption keys that are defined by specific SPNs. If you look at a network capture (Wireshark is best for this) you'll probably see the client either try and fail to get a Kerberos ticket and then fail over to NTLM, or pass a Kerberos ticket (but with the wrong SPN/key) and subsequently get a 401 response from Websense telling it to use NTLM.

So it appears that the issue was being caused by duplicate SPNs in the environment. We removed the duplicate SPN from one of the appliances, took it out of the Pool and Kerberos magically works. But that means we only have one member in the pool which defeats the whole purpose of trying to make it load balance through the F5.

Config that does not work

Config that works

So that makes me think that the delegation should sit on the F5.

Exactly. But, as implied in the paragraph from the iApp notes in my initial response, Websense have a work-around which you should contact them for the details thereof.

Exactly. But, as implied in the paragraph from the iApp notes in my initial response, Websense have a work-around which you should contact them for the details thereof.

So curiously, how was it working before adding the F5? Did both of the websense instances answer to the same FQDN/SPN? In any case, given that you're not directly addressing each, you could apply the same proxy.company.com keytab to both servers.

Mark,

Did you get any resolution for this? Did you try the websense work-around? I'm dealing with a similar issue and want to know if it is worth reaching out to websense.