Before enabling Kerberos to authenticate users forwarding web traffic to
an TMWS on-premises
gateway, you need to:
Procedure
- Configure the AD server.
- Configure the client computer and enable automatic authentication on client browsers.
- Generate the keytab file on the AD server.
- Upload the keytab file to the on-premises gateway and reload the TMWS services.
Configuring the AD Server
This procedure uses the LDAP v2 server in Windows Server 2012 as an
example. Windows Server 2016 and 2019 are also supported.
To add a DNS record of the on-premises gateway on the AD
server:
-
Go to.
-
Right-click the name of the AD domain to synchronize with TMWS, and then click New Host....
-
On the New Host window that appears, type the hostname and IP address of the on-premises gateway. The FQDN field is automatically filled in.
-
Click Add Host.
To configure the forwarder for the AD server:
-
Go to.
-
Right-click the computer name of the AD server, and then click Properties.
-
Click the Forwarders tab, and then click Edit.
-
On the Edit Forwarders window that appears, type the IP address of the DNS server set for the on-premises gateway.
-
Click OK, and then click OK.
Configuring the Client Computer
To configure the DNS server for the client computer:
-
Open a browser on a client computer, and then navigate to Internet Protocol Version 4 (TCP/IP4) Properties in Internet settings.
-
Set the Preferred DNS server to the IP address of the AD server.
-
Click OK.
To disable IPv6 on the client computer:
-
Open a browser on a client computer, navigate to Internet Protocol Version 6 (TCP/IPv6) in Internet settings, and then clear the check box.
-
Click OK.
To add a client computer to an AD domain:
-
Go to System Properties, and on the Computer Name tab, click Change.
-
On the Computer Name/Domain Changes window that appears, select Domain and type the name of the domain that the client computer belongs to.
-
Click OK, and then type and confirm the user name and password of the administrator.
-
Restart the client computer, and then log on to the computer using the domain user account credentials.
To enable automatic authentication in Firefox:
-
Open Firefox on a client computer and type "about:config" in the address field.
-
Locate network.negotiate-auth.trusted-uris and double-click it.
-
On the screen that appears, type the hostname of the on-premises gateway, and then click OK.You can type the hostnames of several on-premises gateways, separating them with commas. To include all the on-premises gateways that support Kerberos authentication in the AD domain, type the AD domain name starting with a dot, for example, .example.com.
To configure the proxy server for the client computer:
-
Open a browser on a client computer, and then navigate to Local Area Network settings in Internet settings.
-
Select to use a proxy server, and then type the FQDN of the on-premises gateway in the Address text box.
Note
Setting the IP address of the on-premises gateway here will result in a downgrade to NTLM in the authentication negotiation. -
Click OK, and then click OK.
Generating the keytab File on the AD Server
Before you begin
Ensure that the AD service works properly on the AD server.
Procedure
- Create an AD user, for example, test, and ensure that the check boxes Password never expires and This account supports Kerberos AES 256 bit encryption are selected.
- Run the following command to associate the AD user with a Server Principal Name
(SPN).
setspn -a HTTP/hostname.example.com test
Note
hostname
is the host name created in the DNS record for the on-premises gateway on this AD domain.One AD user can be associated with multiple SPNs for different on-premises gateways or AD domains by running this command for multiple times.Trend Micro strongly recommends not associating one SPN with multiple AD users, which otherwise would result in Kerberos authentication failure due to duplicate SPNs. The user authentication method will be automatically switched to NTLM. - Run the following command to generate the keytab file for the SPN to
append:
ktpass -princ HTTP/hostname.example.com:8080@EXAMPLE.COM -mapuser test -pass <password of user test> -out tmws.keytab -ptype KRB5_NT_PRINCIPAL -mapop add -crypto AES256-SHA1
The keytab file namedtmws.keytab
is successfully generated.By default, the keytab file is stored underC:\Users\Administrator
. You can also specify the path to put the file. - Optionally run the following command to append another SPN to the keytab
file:
ktpass -princ HTTP/hostname2.example1.com:8080@EXAMPLE1.COM -mapuser test -pass <password of user test> -out tmws.keytab -ptype KRB5_NT_PRINCIPAL -mapop add -in tmws.keytab -crypto AES256-SHA1
- Optionally copy the keytab file to another AD server, repeat steps 1 and 2, and
then run the following command to append a new SPN to the existing keytab
file:
ktpass -princ HTTP/hostname3.example2.com:8080@EXAMPLE2.COM -mapuser test1 -pass <password of user test1> -out tmws.keytab -ptype KRB5_NT_PRINCIPAL -mapop add -in tmws.keytab -crypto AES256-SHA1
- Run the following command on the on-premises gateway to check whether all
required SPNs are appended to the keytab file:
klist -k tmws.keytab
Configuring the Kerberos Information on the On-Premises Gateway
Procedure
- Copy the keytab file on to the on-premises gateway under
/var/iwss/
. - Run the following command to reload the proxy services to apply the
settings:
/etc/iscan/S99ISproxy reload