Before enabling Kerberos to authenticate users forwarding web traffic to an TMWS on-premises gateway, you need to:
This procedure uses the LDAP v2 server in Windows Server 2012 as an example. Windows Server 2016 and 2019 are also supported.
To add a DNS record of the on-premises gateway on the AD server:
Go to Administrative Tools > DNS > Forward Lookup Zones.
Right-click the name of the AD domain to synchronize with TMWS, and then click New Host....
On the New Host window that appears, type the hostname and IP address of the on-premises gateway. The FQDN field is automatically filled in.
Click Add Host.
To configure the forwarder for the AD server:
Go to Administrative Tools > DNS.
Right-click the computer name of the AD server, and then click Properties.
Click the Forwarders tab, and then click Edit.
On the Edit Forwarders window that appears, type the IP address of the DNS server set for the on-premises gateway.
Click OK, and then click OK.
To configure the DNS server for the client computer:
Open a browser on a client computer, and then navigate to Internet Protocol Version 4 (TCP/IP4) Properties in Internet settings.
Set the Preferred DNS server to the IP address of the AD server.
Click OK.
To disable IPv6 on the client computer:
Open a browser on a client computer, navigate to Internet Protocol Version 6 (TCP/IPv6) in Internet settings, and then clear the check box.
Click OK.
To add a client computer to an AD domain:
Go to System Properties, and on the Computer Name tab, click Change.
On the Computer Name/Domain Changes window that appears, select Domain and type the name of the domain that the client computer belongs to.
Click OK, and then type and confirm the user name and password of the administrator.
Restart the client computer, and then log on to the computer using the domain user account credentials.
To enable automatic authentication in IE:
Open Internet Explorer on a client computer, and then go to the Security tab in Internet settings.
Click Custom Level and go to User Authentication in the Settings area.
Click Automatic logon only in Intranet zone and click OK.
Go to the Advanced tab, and then check whether Enable Integrated Windows Authentication* is selected. If not, select the check box and click OK.
To enable automatic authentication in Firefox:
Open Firefox on a client computer and type "about:config" in the address field.
Locate network.negotiate-auth.trusted-uris and double-click it.
On the screen that appears, type the hostname of the on-premises gateway, and then click OK.
You can type the hostnames of several on-premises gateways, separating them with commas. To include all the on-premises gateways that support Kerberos authentication in the AD domain, type the AD domain name starting with a dot, for example, .example.com.
To configure the proxy server for the client computer:
Open a browser on a client computer, and then navigate to Local Area Network settings in Internet settings.
Select to use a proxy server, and then type the FQDN of the on-premises gateway in the Address text box.
Setting the IP address of the on-premises gateway here will result in a downgrade to NTLM in the authentication negotiation.
Click OK, and then click OK.
Ensure that the AD service works properly on the AD server.
hostname is the host name created in the DNS record for the on-premises gateway on this AD domain.
One AD user can be associated with multiple SPNs for different on-premises gateways or AD domains by running this command for multiple times.
Trend Micro strongly recommends not associating one SPN with multiple AD users, which otherwise would result in Kerberos authentication failure due to duplicate SPNs. The user authentication method will be automatically switched to NTLM.
The keytab file named tmws.keytab is successfully generated.
By default, the keytab file is stored under C:\Users\Administrator. You can also specify the path to put the file.