Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 2500 views
  • Users 0 members are here
Options
Suggested

Sophos XGS AD SSO ""Cannot initialise Kerberos authentication with DOMAIN"

Leon Pohl

I hope that I might be able to find an answer to my problem here.
I have joined the Sophos XGS to the domain. The AD object looks good. The Sophos XGS name is configured with FQDN. Unfortunately I get this error message for Kerberos: "Cannot initialise Kerberos authentication with DOMAIN"

Any Ideas?



Added TAGs
[edited by: Erick Jan at 2:29 PM (GMT -8) on 26 Feb 2024]
Parents
  • 0

    Good day Folks,

    As I've been facing this issue too and the commands didn't help nor was my hostname more than 15 characters, here's how I solved it:

    The issue was a firewall name change/ AD hiccup, therefore I had to do the following steps:

    1. Turn OFF "AD SSO" for (in my case) the LAN zone in "Administration" - "Device access"

    2. Delete the computer object of the firewall in my AD

    3. Run the commands:

    service nasm:stop -ds nosync

    rm -rf /content/nasm

    service nasm:start -ds nosync

    4. Turn ON "AD SSO" for the LAN zone in "Administration" - "Device access"

    5. Run an authentication test for the configured AD server in "Authentication" and hit save afterwards

    As for the name change, I went with "hostname.domain" instead of just "hostname" for the firewall (According to Sophos, this should not make a difference though).

    Afterwards, the logs showed Kerberos authenticating :-).

    I'm running Version 20.0.0 GA-Build222 as a VM.

    Hope this helps someone!

    Cheers

    Max

Reply
  • 0

    Good day Folks,

    As I've been facing this issue too and the commands didn't help nor was my hostname more than 15 characters, here's how I solved it:

    The issue was a firewall name change/ AD hiccup, therefore I had to do the following steps:

    1. Turn OFF "AD SSO" for (in my case) the LAN zone in "Administration" - "Device access"

    2. Delete the computer object of the firewall in my AD

    3. Run the commands:

    service nasm:stop -ds nosync

    rm -rf /content/nasm

    service nasm:start -ds nosync

    4. Turn ON "AD SSO" for the LAN zone in "Administration" - "Device access"

    5. Run an authentication test for the configured AD server in "Authentication" and hit save afterwards

    As for the name change, I went with "hostname.domain" instead of just "hostname" for the firewall (According to Sophos, this should not make a difference though).

    Afterwards, the logs showed Kerberos authenticating :-).

    I'm running Version 20.0.0 GA-Build222 as a VM.

    Hope this helps someone!

    Cheers

    Max

Children
No Data
Unfiltered HTML