Kerberos and SWG Implementation

I would suggest looking into DNS resolution and/or routing to see if you can reach the DNS controllers. This has nothing to do with SWG here - but rather an issue that prevents F5 device to properly discover/connect to the KDCs.

Is this for transparent or explicit proxy deployment? If explicit, you will need to add the variable assignment before Kerberos Auth agent:

You need a Variable Assign agent on the Negotiate branch before the Kerberos Auth agent. The value of the Variable assign is:

session.server.network.name =

Also, just curious, why did you choose Kerberos over NTLM for your deployment/use case?

Appreciate for your assistance Michael,

good point, F5 is resolving DOMAIN.LOCAL to appropriate AD IP (3 IP are associated to DOMAIN.LOCAL). Only difference is that they have different hostnames.

It's explicit deployment, i shall try with suggested Variable Assign in VPE.

For customer, NTLM is less secure, but I will try with NTLM by following this guide

problem was in krb5.conf as mentioned in SOL16438 and also adding realms manually to /etc/krb.conf

Now i have problem with SWG responding back to the client, i see responding with NTLM auth, see packet capture:

Hi,

I guess you solved this issue. Anyway what authentication mechanism browser uses depends on how proxy is configured in the browser. When proxy is entered as IP browser will always use NTLM - no way Kerberos will work, when entered as FQDN then Kerberos will be used (or at least will work, maybe NTLM will work as well - never tested that.

Piotr