Troubleshoot Failure in Accessing Private Resources Using Kerberos Authentication

Available Languages

Download Options

  • PDF     (60.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (122.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (119.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 19, 2024
Document ID:222305

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes Kerberos behavior when being used along with Secure Access Zero Trust Network Access (ZTNA).

    Prerequisites 

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Secure Access
    • Cisco Secure Client
    • Internet Protocol Security (IPSEC) Tunnels
    • Remote Access Virtual Private Network (RAVPN)
    • Zero Trust Network Access (ZTNA)

    Background Information

    Secure Access is used in providing access to private applications through multiple scenarios including Zero Trust Access Module (ZTNA) on Secure Client, or IPSEC Tunnel or Remote Access VPN. While private applications provide their own authentication mechanism there is a limitation on the servers that rely on Kerberos as an authentication mechanism.

    Kerberos packet flowKerberos packet flow

    Problem: Failure in Accessing Private Resources Using Kerberos Authentication

    Initiating an authentication request from a client device behind ZTNA module to a private application behind App Connector, would cause the source IP address to change along the path of Secure Access network. Which results in Authentication failure when using the kerberos ticket initiated by the Clients Kerberos Distribution Center (KDC).

    Solution

    Client source IP address is part of the Kerberos tickets granted from Kerberos Distribution Center (KDC). In general when Kerberos tickets traverse through a network it is required that source IP address remain unchanged, otherwise the destination server we are authenticating with, does not not honor the ticket when compared to the source IP its sent from.

    To resolve this problem use one of the options:

    Option 1:

    Disable the option to include the source IP address in Client Kerberos ticket.

    Option 2:

    Use Secure Access VPN with private resources behind IPSEC tunnel instead of Private applications behind App Connector.

    note-icon

    Note: This behavior is only impacting Private Applications deployed behind App Connector and traffic is sourced from Client with ZTNA Module without VPN.

    note-icon

    Note: The Secure Access Activity Search shows allowed action for the transaction, as the block is happening on Private Application side not on Secure Access.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    19-Aug-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Fuad Al Asouli
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products