Authentication profile + Kerberos + group restrictions - should work?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication profile + Kerberos + group restrictions - should work?

L3 Networker

Running 4.0.5 here.

I setup SSL VPN a while ago, and setup an authentication profile to pull from our Active Directory via Kerberos.  I have an AD group and I only want the members of that group (or members of groups that are children of that master group) to have VPN access.

I only add that single group to the allow list, and nothing else.

For some period of time, this was working correctly.  I have users that are in that group and could access the VPN, as well as users in sub-groups that could also access it.

After some period of time, with zero changes to anything SSL-VPN or authentication related, this has stopped working.  I'm now getting a generic "invalid username or password" error, when it was working perfectly in the past.

If I edit the authentication profile and remove the group restriction and instead change to "all," everything works again, but I am no longer restricting VPN access as I would like.

What's going on here?

I have found from searches that group restrictions are not supported with LDAP... but I'm using Kerberos and couldn't find anything about it one way or another.  If it is not supposed to work with group restrictions, how the heck was it working for me in the past!?


L4 Transporter

Please could you open a case with the Support team so they may take a closer look.

L1 Bithead


did the support resolve your problem with using Groups with Kerberos authentication ? Can you post the solution ? Thanks !

I would be interested in a solution as well.

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!