Endpoint computer can't authenticate via Kerberos due to the redirection URL

Condition

When attempting to authenticate via Active Directory SSO using Kerberos with the HTTP proxy in transparent mode, the Kerberos authentication fails. As a result, the browser falls back to using NTLM or the captive portal for authentication.

Cause

Browsers will only automatically perform Kerberos login (single sign-on) if they're sure that the site requesting credentials is part of the Kerberos domain. The requesting site, in this case, Sophos Firewall, must be using a hostname or FQDN for redirection that matches the service principal name (SPN) of the firewall on the Active Directory (AD) server.

Remedy

  1. Configure a hostname on Sophos Firewall. Go to Administration > Admin and user settings > Hostname.

    Enter a Hostname. You must use a fully qualified domain name (FQDN) that matches your company domain. For example, myfirewall.mycompany.com.

    When the Sophos Firewall joins the AD Domain, it's given an AD computername, and two SPN entries are automatically created.

    • One SPN is created for the bare hostname. This is the first part of the FQDN that you configure in the Admin and user settings > Hostname field.
    • One SPN is created for the bare hostname, followed by the AD domain.

    Therefore, if you configure the Sophos Firewall Hostname field to be myfirewall.mycompany.com, and join the AD domain mycompany.local two SPNs are created: myfirewall and myfirewall.mycompany.local.

    Warning For many customers, the domain name used in DNS and Active Directory is the same, which means that the DNS FQDN and the Active directory computer name are the same. The automatically created SPN matches the Admin and user settings > Hostname field. If your DNS and Active Directory use different domain names (such as mycompany.com and mycompany.local), and you want to use the DNS name in redirection, you must manually create the SPN on your AD domain controller.
  2. Set the proxy redirection URL. This can be the configured FQDN, a different FQDN (such as the AD computername), or a bare hostname. Whatever you use must match an SPN.
    1. To use the configured FQDN of Sophos Firewall, go to Administration > Admin and user settings > Admin console and end-user interaction, and select Use the firewall's configured hostname.
    2. To use a different FQDN or a bare hostname, go to Administration > Admin and user settings > Admin console and end-user interaction and select Use a different hostname, and enter the hostname you want to use.
      Note Make sure the endpoint computer can resolve the Sophos Firewall by the method you select. You may need to add entries to your DNS server.

      When you're redirecting to perform AD SSO, the browser attempts to match an SPN and must trust it to perform Kerberos authentication.

      • If it's a bare hostname, it must match the bare hostname SPN that was created automatically.
      • If it's an AD FQDN, it must match the AD computername FQDN SPN that was created automatically.
      • If it's a DNS FQDN, it must match the DNS SPN that you created manually.