Symantec Access Management

We are setting up kerberized SiteMinder. The web agent and policy server have been configured for KRB5 delegation. Windows clients have no issues accessing pages protected by SiteMinder using the user's Kerberos ticket.

On OS X we are getting Server Error 500 when trying to access a SiteMinder protected page. The OS X machine is bound to AD, the user is getting a forwardable and proxiable KRB5 TGT. We are using OS X 10.11.3 and Safari Version 9.0.3 (11601.4.4). We have also tried with Google Chrome 47.0.2526.111 (64-bit). Chrome has been properly configured with AuthNegotiateDelegateWhitelist and AuthServerWhitelist. All other kerberized web services work fine under OS X, just not the SiteMinder protected resources.

We see this error on the web server when an OS X client connects:

[Failed to create delegated GSSAPI token on behalf of HTTP/web.realm.com@REALM.COM for smps@policyserver.realm.com: Minor Status=-1765328199, Major Status=851968, Message=Cannot find ticket for requested realm]

The TGS-REQ in Wireshark does show that the OS X client is sending a forwardable and proxiable ticket.

Does anyone have OS X clients working with a SiteMinder KRB5 setup?

Hi, The OSX is able to authenticate fine with Kerberos Authentication Scheme.

However, I find that it would only work if you limit the crypto to HMAC-RC4.

Any other crypto would fail.

SiteMinder's kerberos is tested with MIT Kerberos and MS Kerberos.

OSX has HEIMDAL Kerberos package and does not appear to support crypto other than HMAC-RC4 when authenticating with CA SSO integrated Kerberos Authentication Scheme.