Support Center > Search Results > SecureKnowledge Details
Kerberos SSO is not redirecting when Captive Portal is enabled on Identity Awareness gateway Technical Level
Symptoms
  • Service Principal Names on DC servers are configured to HTTPS, but Kerberos SSO is not redirecting when Captive Portal is enabled.

  • Captures of Kerberos traffic on the Gateway show:

    KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Cause

The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.


Solution

Service Principal Names (SPNs) on DC servers have to be configured to use HTTP.

For more details, refer to Microsoft KB929650 - How to use SPNs when you configure Web applications that are hosted on Internet Information Services.

 

Related solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment