NTLM and Kerberos troubleshooting

Troubleshoot common Kerberos and NTLM issues.

Condition

Client devices fail authentication when Kerberos and NTLM are configured.

Cause

Some common issues for authentication failure are: Configuration errors, domain join failures, and in the case of Kerberos the key version number (KVNO) not matching between endpoints and Sophos Firewall.

Remedy

  1. Go to Authentication > Servers.
  2. Click on your AD server and then click Test connection.

    If the connection fails, you must resolve the AD connectivity issues. If the connection is successful, continue the steps below.

  3. Check a firewall rule is in place to allow Kerberos and NTLM traffic for the affected clients under Rules and policies > Firewall rules.
  4. Go to Administration > Device access and make sure AD SSO is configured for the zone that clients are authenticating from. This will typically be your LAN zone.
  5. If you have configured Sophos Firewall as an explicit proxy, make sure the hostname has been used in the browser settings. If you have used an IP address, the client allows only NTLM authentication.
  6. Sign in to the Sophos Firewall command line interface.
  7. Select option 5. Device Management then option 3. Advanced Shell.
  8. Use the following command to check the nasm service is running: service -S | grep -i "nasm"
  9. Check the Kerberos keytab matches on both the client and Sophos Firewall.

    On the client PC open a command prompt and run the following command: setspn -Q */proxyhostname

    klist

    Change proxyhostname to be the FQDN of Sophos Firewall.

    Also, retrieve the KVNO number from AD using powershell with the following commands:

    For a user, run the following command: get-aduser USERNAME -property msDS-KeyVersionNumber

    Change USERNAME to the username of the user you're querying.

    For a machine, run the following command: get-adcomputer COMPUTERNAME$ -property msDS-KeyVersionNumber

    Change COMPUTERNAME to the name of the machine you're querying.

    On Sophos Firewall run the following commands in the advanced shell: chroot /content/nasm

    At the next prompt run the command: /oss/klist -e -k /tmp/krb5.keytab

    The output will look similar to this:

    Output

    Check that the proxy name matches on both the client and Sophos Firewall. This is case sensitive.

    Check that the KVNO matches between both the client and Sophos Firewall.

  10. If the proxy name doesn't match between the client and Sophos Firewall, make sure the host record in AD for Sophos Firewall matches the hostname configured under: Administration > Admin and user settings > Hostname.
  11. If the KVNO doesn't match, the user must sign out and back in to their account, or you must rejoin Sophos Firewall to the domain. This issue is normally caused when the hostname of Sophos Firewall is changed.