Configuring Kerberos authentication

You can create one keytab file and add to it the SPNs of all servers that have the application installed. This will enable users to complete authentication using their own domain accounts on all cluster nodes.

To configure Kerberos authentication on the proxy server:

1. In the application web interface, select the Settings → Built-in proxy server → Authentication section.
2. In the Kerberos field, click the Set up link.

   The Kerberos authentication settings window opens.

3. Set the toggle switch to Enabled.
4. Click Upload to upload a keytab file.

   If a keytab file was previously uploaded, to replace it you must click Replace.

   The file selection window opens.

5. Select the file and click Open.

   The keytab file will be uploaded.

6. If you want to check authentication requests for duplicates, turn on the Use replay cache toggle switch.

   Replay cache provides more reliable protection, but may reduce the performance of the application.

   Cache used in Kerberos technology to store records of user authentication requests. This mechanism helps protect the infrastructure against replay attacks. When employing these types of attacks, hackers record user traffic so that they can replay the user's previously sent messages and thereby successfully complete authentication on the proxy server. When using a replay cache, the authentication server detects the duplicate request and responds by sending an error message.

7. Click Save.

   If you changed the position of the Enabled or Use replay cache toggle switch, the proxy server will be restarted when the changes are saved. Traffic processing will be paused before the restart completes.

Kerberos authentication will be configured. The proxy server will process requests only from those users who complete the authentication procedure.

Page top