This article explains how to use Wireshark to capture the Kerberos packet sent during the Agentless DSSO authentication flow for Okta Customer Support.

• Directories
• Agentless Desktop Single Sign-On (Agentless DSSO)
• Kerberos
• Wireshark

1. Download and install Wireshark on the machine used in Agentless DSSO Authentication (https://www.wireshark.org/).
2. Once installed, launch Wireshark and select the adapter responsible for handling traffic between the host and the Domain Controller.
3. Stop the Wireshark capture by selecting the red square icon.

4. Select Edit > Preferences > Protocols > KRB5, check both boxes under the Kerberos header, ensure the TCP and UDP ports are set to the correct Kerberos port for the domain, and then select Okay.

5. Open a Command Prompt as a standard user and run the following command:

   • klist purge

      

6. Start the Wireshark capture by selecting the blue fin icon. Select Continue without Saving to clear the previous results.

7. Open a web browser and navigate to the Okta URL to begin the Agentless DSSO flow. Once it finishes, stop the Wireshark capture.
8. Type "Kerberos" in the filter to verify the results.

9. If there are no entries found, confirm the correct adapter is selected.
   • An NTLM token can also result in no entries found. Use Fiddler to capture the flow and confirm whether the token is NTLM or Kerberos.
     1. Capturing A Fiddler Trace For Okta Customer Support.
     2. Search "Authorization: Negotiate" in the results.

3. A token beginning in YII is a Kerberos token, and a token beginning in TlR is an NTLM token.
   1. NTLM vs KERBEROS
4. Select File > Save As and save the file in .pcapng format.