Authentication and connection to a domain controller when polling a domain
When polling a domain controller, Administration Server or a distribution point identifies the connection protocol to establish initial connection to the domain controller. This protocol is used for all future connections to the domain controller.
The initial connection to a domain controller proceeds as follows:
By default, certificate verification is not required. Set the KLNAG_LDAP_TLS_REQCERT
flag to 1 to enforce certificate verification.
Possible values of the KLNAG_LDAP_TLS_REQCERT_AUTH
flag:
0
—The certificate is requested, but if it is not provided or the certificate verification failed, then the TLS connection is still considered successfully created (default value).1
—Strict verification of the LDAP server certificate is required.By default, the OS-dependent path to the certificate authority (CA) is used to access the certificate chain. Use the KLNAG_LDAP_SSL_CACERT
flag to specify a custom path.
Authentication and connection to a domain controller when authenticating a domain user to Administration Server
When a domain user authenticates on Administration Server, Administration Server identifies the protocol to establish connection to the domain controller.
The connection to a domain controller proceeds as follows:
By default, certificate verification is required. Use the KLNAG_LDAP_TLS_REQCERT_AUTH
flag to configure certificate verification.
Possible values of the KLNAG_LDAP_TLS_REQCERT_AUTH
flag:
0
—The certificate is requested, but if it is not provided or the certificate verification failed, then the TLS connection is still considered successfully created.1
—Strict verification of the LDAP server certificate is required (default value).By default, the OS-dependent path to the certificate authority (CA) is used to access the certificate chain. Use the KLNAG_LDAP_SSL_CACERT
flag to specify a custom path.
Configuring flags
You can use the klscflag utility to configure flags.
Run the command line, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.
For example, the following command enforces certificate verification:
klscflag -fset -pv klserver -n KLNAG_LDAP_TLS_REQCERT -t d -v 1