Configuring Secure Email Gateway on UAG is not particularly difficult and is quite well documented on VMware docs.
When it comes to Kerberos authentication however, things are getting more complex. You will have to setup integration with certificate services, make changes to your Exchange environment and configure SPN in Active Directory. If you want to configure SEG with Kerberos on UAG, just follow the documentation for SEG on Windows. You can find it here.
Everything will go well … until you run into issues with Kerberos 😉 and they you’ll have to start troubleshooting.
in this post I want to share with you a nice and handy Kerberos tester tool which is included in UAG! This useful tool enables you to test your Kerberos setup. It will request a kerberos ticket for a user with your service account and provide detailed logs.
How does it work?
When SEG edge service is enabled on UAG, SSH into your UAG and follow the below steps to run Kerberos tester tool.
Get the docker container ID using below command:
SSH into the docker container using the obtained container ID. You will be logged into the container working directory “/opt/vmware/seg“:
docker exec -it containerID /bin/bash
To set the environment variables required for KCD Client tool to run
NOTE: After every docker exec login, execute these two export commands as it will be separate bash session.
Run the below command to check if a Kerberos token can be obtained for the mentioned UPN. For UAG 3.10, the KCD client binary is located in the “kerberos-client” subfolder of the working directory (“/”), and named as /opt/vmware/segkerberos-clientVMware-KCD-Client. Run the below command:
./kerberos-client/VMware-KCD-Client -m kerberostest -n spn -w service_account@domain_lowercase@domain_uppercase -p password -u username@domain_uppercase
Here a screenshot of the output of the Kerberos tester tool