I have a BlueCoat ProxySG that is able to authenticate users via Kerberos. It is set to "Proxy" so it requires user authentication for each new TCP connection. Users have a Single Sign On and their PC's automatically pass their Windows login credentials when prompted by network services. The issue, is that on a site with many background connections (www.bbc.com in this case), the user will begin receiving popups for credentials after so long (Most of the page and pictures have already loaded by this time). I believe this happens to every user using this site.
In a packet capture from the User's PC, Kerberos authentication seems to be working on every connection attempt (GET and CONNECT requests) as the user passes the service ticket properly with the GET/CONNECT requests. But all of a sudden begins reaching out to the KDC for a new service ticket.... in which case it actually errors with a PRE_AUTH_REQUIRED error and has to get a new KRBTGT from the KDC before attempting the TGS_REQ for the proxy again. This is when the popups for credentials seem to happen.
- My understanding is that the service ticket is stored in the user's Kerb tray and can be reused until it needs to be renewed (as noted by the renew date on the ticket itself). Is this correct understanding?
- Why would the proxy all of a sudden require a different ticket?
- The BlueCoat ProxySG is supposed to automatically fall back to NTLM when Kerberos does not work, why isn't it doing so? (NTLM works fine when not using Kerberos as primary method of authentication)
Thanks in advance!
