Configuring Kerberos Authentication

Before enabling Kerberos to authenticate users forwarding web traffic to an TMWS on-premises gateway, you need to:

  1. Configure the AD server.
  2. Configure the client computer and enable automatic authentication on client browsers.
  3. Generate the keytab file on the AD server.
  4. Upload the keytab file to the on-premises gateway and reload the TMWS services.

Configuring the AD Server

This procedure uses the LDAP v2 server in Windows Server 2012 as an example. Windows Server 2016 and 2019 are also supported.

To add a DNS record of the on-premises gateway on the AD server:

  1. Go to Administrative Tools > DNS > Forward Lookup Zones.

  2. Right-click the name of the AD domain to synchronize with TMWS, and then click New Host....

  3. On the New Host window that appears, type the hostname and IP address of the on-premises gateway. The FQDN field is automatically filled in.

  4. Click Add Host.

To configure the forwarder for the AD server:

  1. Go to Administrative Tools > DNS.

  2. Right-click the computer name of the AD server, and then click Properties.

  3. Click the Forwarders tab, and then click Edit.

  4. On the Edit Forwarders window that appears, type the IP address of the DNS server set for the on-premises gateway.

  5. Click OK, and then click OK.

Configuring the Client Computer

To configure the DNS server for the client computer:

  1. Open a browser on a client computer, and then navigate to Internet Protocol Version 4 (TCP/IP4) Properties in Internet settings.

  2. Set the Preferred DNS server to the IP address of the AD server.

  3. Click OK.

To disable IPv6 on the client computer:

  1. Open a browser on a client computer, navigate to Internet Protocol Version 6 (TCP/IPv6) in Internet settings, and then clear the check box.

  2. Click OK.

To add a client computer to an AD domain:

  1. Go to System Properties, and on the Computer Name tab, click Change.

  2. On the Computer Name/Domain Changes window that appears, select Domain and type the name of the domain that the client computer belongs to.

  3. Click OK, and then type and confirm the user name and password of the administrator.

  4. Restart the client computer, and then log on to the computer using the domain user account credentials.

To enable automatic authentication in IE:

  1. Open Internet Explorer on a client computer, and then go to the Security tab in Internet settings.

  2. Click Custom Level and go to User Authentication in the Settings area.

  3. Click Automatic logon only in Intranet zone and click OK.

  4. Go to the Advanced tab, and then check whether Enable Integrated Windows Authentication* is selected. If not, select the check box and click OK.

To enable automatic authentication in Firefox:

  1. Open Firefox on a client computer and type "about:config" in the address field.

  2. Locate network.negotiate-auth.trusted-uris and double-click it.

  3. On the screen that appears, type the hostname of the on-premises gateway, and then click OK.

    You can type the hostnames of several on-premises gateways, separating them with commas. To include all the on-premises gateways that support Kerberos authentication in the AD domain, type the AD domain name starting with a dot, for example, .example.com.

To configure the proxy server for the client computer:

  1. Open a browser on a client computer, and then navigate to Local Area Network settings in Internet settings.

  2. Select to use a proxy server, and then type the FQDN of the on-premises gateway in the Address text box.

    Note:

    Setting the IP address of the on-premises gateway here will result in a downgrade to NTLM in the authentication negotiation.

  3. Click OK, and then click OK.

Generating the keytab File on the AD Server

Ensure that the AD service works properly on the AD server.

  1. Create an AD user, for example, test, and ensure that the Password never expires check box is selected.
  2. Run the following command to associate the AD user with a Server Principal Name (SPN). setspn -a HTTP/hostname.example.com test
    Note:

    hostname is the host name created in the DNS record for the on-premises gateway on this AD domain.

    One AD user can be associated with multiple SPNs for different on-premises gateways or AD domains by running this command for multiple times.

    Trend Micro strongly recommends not associating one SPN with multiple AD users, which otherwise would result in Kerberos authentication failure due to duplicate SPNs. The user authentication method will be automatically switched to NTLM.

  3. Run the following command to generate the keytab file for the SPN to append: ktpass -princ HTTP/hostname.example.com:8080@EXAMPLE.COM -mapuser test -pass <password of user test> -out tmws.keytab -ptype KRB5_NT_PRINCIPAL -mapop add

    The keytab file named tmws.keytab is successfully generated.

    By default, the keytab file is stored under C:\Users\Administrator. You can also specify the path to put the file.

  4. Optionally run the following command to append another SPN to the keytab file: ktpass -princ HTTP/hostname2.example1.com:8080@EXAMPLE1.COM -mapuser test -pass <password of user test> -out tmws.keytab -ptype KRB5_NT_PRINCIPAL -mapop add -in tmws.keytab
  5. Optionally copy the keytab file to another AD server, repeat steps 1 and 2, and then run the following command to append a new SPN to the existing keytab file: ktpass -princ HTTP/hostname3.example2.com:8080@EXAMPLE2.COM -mapuser test1 -pass <password of user test1> -out tmws.keytab -ptype KRB5_NT_PRINCIPAL -mapop add -in tmws.keytab
  6. Run the following command on the on-premises gateway to check whether all required SPNs are appended to the keytab file: klist -k tmws.keytab

Configuring the Kerberos Information on the On-Premises Gateway

  1. Copy the keytab file on to the on-premises gateway under /var/iwss/.
  2. Run the following command to reload the proxy services to apply the settings: /etc/iscan/S99ISproxy reload