https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83477#M11402 <P>Yes when you add the SPN -a it used to bypass the check on duplicate entries in the forest. In Server 2012 this has been changed it checks for duplicates anyway.</P><P>This same SPN needs to be added in each domain for SSO to work.&nbsp;</P><P>So yes the issue is that the same SPN's are used in each domain.</P><P>Works ok now - as the SPN's are already there.</P><P>However when we get a new firewall with a new name in a different location - we will have a problem for Kerberos SSO as it stands.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Apr 2020 11:34:26 GMT Simon_Croston 2020-04-28T11:34:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83084#M11400 <P>For a number of years we have been happily using Kerberos Transparent Auth SSO. We have multiple domains around the world.</P><P>This continues to work fine for existing gateways. We use the identity agent and with browser based sso as a backup.</P><P>So each domain would have the SPN for the gateway and the&nbsp;ckp_pdp registered. Has worked fine - for years.</P><P>The problem we have regards new gateways that we want to have registered in AD. Previously in a server 2008 AD environment you could have duplicate SPN's in a forest - ie so each domain can have the new firewall registered.</P><P>On server 2012 AD controllers the use of SPN -a has been depreciated and the SPN has to be unique in the forest. This means that we cannot register the new gateway in each domain.</P><P>Has anyone else encountered this - we want to stick with the identity agent, and no identity collectors or AD query.</P><P>How did you address this situation. It has only recently been an issue as we have a couple of new gateways and the last of the old 2008 AD controllers have now gone.</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Apr 2020 15:37:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83084#M11400 Simon_Croston 2020-04-24T15:37:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83406#M11401 <P>Is the fact the same SPN is used with both domains the issue?<BR />Tagging&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>.</P> Tue, 28 Apr 2020 01:11:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83406#M11401 PhoneBoy 2020-04-28T01:11:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83477#M11402 <P>Yes when you add the SPN -a it used to bypass the check on duplicate entries in the forest. In Server 2012 this has been changed it checks for duplicates anyway.</P><P>This same SPN needs to be added in each domain for SSO to work.&nbsp;</P><P>So yes the issue is that the same SPN's are used in each domain.</P><P>Works ok now - as the SPN's are already there.</P><P>However when we get a new firewall with a new name in a different location - we will have a problem for Kerberos SSO as it stands.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Apr 2020 11:34:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/83477#M11402 Simon_Croston 2020-04-28T11:34:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/84074#M11403 <P>Any update on this?</P> Mon, 04 May 2020 12:53:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Kerberos-Transparent-Auth-with-multiple-domains-and-server-2012/m-p/84074#M11403 Simon_Croston 2020-05-04T12:53:47Z