View this page in English

Censornet - internet filtering on your terms

BECTA Accredited products VMWare Certified Virtual Appliance Members of the Internet Watch Foundation Shortlisted for the BETT 2008 Awards Computer Security Awards finalist
Chat online now or call +44 (0) 845 230 9590 for help & advice

Search knowledge base

Product specific

Home » Knowledge base » Transparent Kerberos Issues

Transparent Kerberos Issues

July 19, 2011 • Customer Services       
Synopsis

You cannot get Transparent Keberos to work, or you have configured Transparent Kerberos successfully but users are still prompted to login and this always fails

Article

If you are getting prompted repeatedly, please run through the following checklist:

  1. Ensure you have the latest version of CensorNet installed because a Microsoft Hotfix (KB2425227) for Windows7/Vista breaks the transparent kerberos authentication for CensorNet running on Ubuntu 10.04 (Lucid).
  2. Ensure that the time on the CensorNet server is within 5 minutes of the time on the Active Directory server.
  3. Ensure that the time zone on the CensorNet server matches the time zone on the Active Directory server.
  4. Ensure the username you are entering is a Member Of the group Domain Admins and ensure it has no spaces in the username.
  5. Ensure that the web browser is not Internet Explorer 6 or below. They do not support transparent kerberos - please upgrade or change web browsers.
  6. Ensure that the web browser proxy settings are referencing CensorNet with the fully qualified hostname of CensorNet, rather than the IP address. To get the FQDN type hostname -f at the CensorNet prompt (as root).
  7. Ensure that the CensorNet hostname (type: hostname) matches the machine account on Active Directory exactly. e.g. if hostname is censornet then the machine name cannot be Censornet - it must be 'censornet' as well. The cause of this mismatch is likely to be DNS.
  8. Ensure that the user has logged off and logged on at least once since you enabled Transparent Kerberos. This is required so that the user obtains a kerberos ticket from the domain controller.
  9. Ensure that the BIOS clock on the CensorNet machine is set to GMT/UTC. Linux is like all Unix systems in that it requires the BIOS clock to be in UTC. If its not, the timezones will be off, so even if everything looks ok with the date and time, it will still not work.
  10. Ensure that the CensorNet hostname is lower case. Do not use a mixed case hostname e.g. CensorNet. To change the hostname type: hostname as root and then edit /etc/hostname and /etc/hosts and add/update the new hostname.
  11. Ensure that there is no other user/machine in the AD with the same name as the CensorNet hostname. If there is, delete them/change them and then re-configure transparent kerberos.
  12. Ensure that the FQDN specified in the browser is lower case and the FQDN of CensorNet (hostname -f) is lower case
  13. Ensure that the CensorNet hostname is not the same as the Windows domain/Active Directory domain name.
  14. If you previously used NTLM, make sure you delete the CensorNet machine/computer account and then reconfigure Transparent Kerberos, otherwise it may still be using the old NTLM trust relationship.
  15. If your Active Directory server does not have a Container Name (CN) called "Computers" because it has been renamed, you will need to alter the connection string to specify where the machine account should be created. As of CensorNet Professional v4 (1.9.x) and above, you can do this in the User Authentication settings page. Where the folder is more than one level deep, you should specify the string in reverse e.g. CN=Office,CN=Servers which would translate to \Servers\Office in Active Directory.

Once you have checked the above if the problem persists please contact Technical Support.

Related articles


Last modified on Thu, January 19, 2012 « Back