Kerberos authentication fails against ProxySG with error: "wrong Kerberos service principal"
Last Updated May 12, 2018
When using the ProxySG, the Kerberos authentication does not work.
In the Policy_Trace on the ProxySG:
EXCEPTION(configuration_error): Authentication failed because of a configuration problem
Last Error: Either the realm has been configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal
In the user's browser:
The HTTP Service Principal Name (SPN) of the ProxySG is missing in the Key Distribution Center (KDC).
Connect to your Active Directory Server (which is your KDC) and update the SPN registry of the ProxySG:
List your all the SPNs of the ProxySG and confirm the HTTP SPN is missing
setspn -l <insert your proxysg name>
Add the new SPN for HTTP
setspn -s http/<insert your proxysg name with FQDN> <insert your proxysg name>
Verify that the new HTTP SPN is listed for the ProxySG