Configuring Kerberos Authentication

Procedure

1. Configure the AD Server.
   This procedure uses the LDAP server in Windows Server 2012 as an example.

   To add a DNS record on the AD server:
   1. Go to Administrative Tools → DNS → Forward Lookup Zones.
   2. Right-click the name of the AD domain to synchronize with Deep Discovery Web Inspector, and then click New Host....
   3. On the New Host window that appears, type the hostname and IP address of Deep Discovery Web Inspector. The FQDN field is automatically filled in.
      If you configure management portal FQDN and authentication portal FQDN, you need also to add these FQDN’s resolving information in the DNS server.
   4. Click Add Host.
   To configure the forwarder for the AD server:
   1. Go to Administrative Tools → DNS.
   2. Right-click the computer name of the AD server, and then click Properties.
   3. Click the Forwarders tab, and then click Edit.
   4. On the Edit Forwarders window that appears, type the IP address of the DNS server which can resolve the external network.
   5. Click OK.
2. Configure the client computer.
   To configure the DNS server for the client computer:
   1. Open a browser on a client computer, and then navigate to Internet Protocol Version 4 (TCP/IP4) Properties in Internet settings.
   2. Set the Preferred DNS server to the IP address of the AD server.
   3. Click OK.
   To add a client computer to an AD domain:
   1. Go to System Properties, and on the Computer Name tab, click Change.
   2. In the Computer Name/Domain Changes window that appears, select Domain and type the name of the domain that the client computer belongs to.
   3. Click OK, and then type and confirm the user name and password of the administrator.
   4. Restart the client computer, and then log on to the computer using the domain user account credentials.
   To enable automatic authentication in IE:
   1. Open Internet Explorer on a client computer, and then go to the Security tab in Internet settings.
   2. Click Custom Level and go to User Authentication in the Settings area.
   3. Click Automatic logon only in Intranet zone and click OK.
   4. Go to the Advanced tab, and then check whether Enable Integrated Windows Authentication* is selected. If not, select the check box and click OK.
   To enable automatic authentication in Firefox:
   1. Open Firefox on a client computer and type about:config in the address field.
   2. Locate network.negotiate-auth.trusted-uris and double-click it.
   3. On the screen that appears, type the hostname, management FQDN and authentication FQDN of Deep Discovery Web Inspector (separating them with comma), and then click OK.
      If these FQDNs are in the same AD domain, type the AD domain name starting with a dot, for example, .example.com.
   To configure the proxy server for the client computer if Deep Discovery Web Inspector is in proxy mode:
   1. Open a browser on a client computer, and then navigate to Local Area Network settings in Internet settings.
   2. Select to use a proxy server, and then type the FQDN of Deep Discovery Web Inspector in the Address text box.

      Note Setting the IP address here will result in a downgrade to NTLM in the authentication negotiation.

   3. Click OK, and then click OK.
3. Generate the keytab file on the AD Server.
   Ensure that the AD service works properly on the AD server.
   1. Create an AD user, for example, testkbs@example.com, and ensure that the Password never expires check box is selected.
   2. Run the following command to associate the AD user with a Server Principal Name (SPN).
      DDWI hostname: host.example.com
      Management portal FQDN: admin.example.com
      DDWI Authentication portal FQDN: auth.example.com
      # setspn -a HTTP/host.example.com testkbs
      # setspn -a HTTP/admin.example.com testkbs
      # setspn -a HTTP/auth.example.com testkbs

      Note One AD user can be associated with multiple SPNs by running this command for multiple times. Trend Micro strongly recommends not associating one SPN with multiple AD users, which otherwise would result in Kerberos authentication failure due to duplicate SPNs. The user authentication method will be automatically switched to NTLM.

   3. Run the following command to generate the Keytab file for the SPN to append:
      ktpass.exe -princ HTTP/hostname.example.com:port@EXAMPLE.COM -pass <password of user> -mapuser user@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab
      DDWI hostname: host.example.com
      DDWI Management portal FQDN: admin.example.com
      DDWI Authentication portal FQDN: auth.example.com
      For each service of hostname, management FQDN and authenticaon FQDN, need create keytab principal:

      • Create keytab principal for hostname
        # ktpass.exe -princ HTTP/host.example.com:8080@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab
        # ktpass.exe -princ HTTP/host.example.com@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
        # ktpass.exe -princ HTTP/host.example.com:8443@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
      • Create keytab principal for management portal FQDN
        # ktpass.exe -princ HTTP/admin.example.com:8080@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
        # ktpass.exe -princ HTTP/admin.example.com@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
        # ktpass.exe -princ HTTP/admin.example.com:8443@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
      • Create keytab principal for authentication portal FQDN
        # ktpass.exe -princ HTTP/auth.example.com:8080@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
        # ktpass.exe -princ HTTP/auth.example.com@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
        # ktpass.exe -princ HTTP/auth.example.com:8443@EXAMPLE.COM -pass <password of user testkbs> -mapuser testkbs@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
        The keytab file named ddwi.keytab is successfully generated.
        By default, the keytab file is stored under C:\Users\Administrator. You can also specify the path to put the file.
   4. Optionally run the following command to append another SPN to the keytab file:
      ktpass.exe -princ HTTP/hostname.example.com:port2@EXAMPLE.COM -pass <password of user> -mapuser user@example.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
   5. Optionally copy the keytab file to another AD server, repeat steps a and b, and then run the following command to append a new SPN to the existing keytab file:
      ktpass.exe -princ HTTP/hostname2.example2.com:port@EXAMPLE2.COM -pass <password of user2> -mapuser user2@example2.com -mapop add -ptype KRB5_NT_PRINCIPAL -crypto all -out ddwi.keytab -in ddwi.keytab
4. Upload the keytab file to Deep Discovery Web Inspector.
   Upload the kerberos keytab file to Deep Discovery Web Inspector by going to Administration → Active Directory Services → Global Authentication Settings to check whether all required SPNs are appended to the keytab file under Keytable information.