Bypassing Kerberos for web-based apps

Introduction

About this Document

In this document, we explain how to bypass Kerberos authentication for cloud-based applications in network environments that use the AXS Guard proxy server. Even though we use Dropbox as an example, the procedure also applies to other cloud-based applications.

Use Case

The Dropbox client does not support Kerberos authentication.

If the AXS Guard has been configured to enforce Kerberos authentication for web access and is configured as your workstation’s proxy server, the Dropbox client will attempt to use proxy authentication and authenticate as the user none.

To bypass this behavior, you must create a dedicated Dropbox user account on the AXS Guard and assign a specific Dropbox ACL to this account. Finally, the proxy settings of the Dropbox client must be correctly configured on the workstation.

Configuration

Create a Web Access List

1. Log in to the AXS Guard appliance

2. Go to Web Access > Filters > Lists

3. Create a new list and add the Dropbox URLs. See the official Dropbox documentation to know which URLs should be added.

   

Create a Dropbox Category

1. Go to Web Access > Filters > Categories.

2. Add a new category for the Dropbox URLs. Add the list created in the previous step.

   

Create a Web Access ACL

1. Go to Web Access > Filters > ACL

2. Create a new ACL which only allows access to the Dropbox category created in the previous step.

   

Create a Dedicated User

1. Go to Users & Groups > Users.

2. Create a new user, e.g. dropbox, with a static password.

3. Select the Web Access tab and assign the Dropbox ACL created in the previous step.

   

Configure the Dropbox Client

Configure the proxy settings of your Dropbox client. Enter the username and password of the dedicated AXS Guard dropbox user. See the official Dropbox documentation for additional information.