Configuring Kerberos domain authentication

Expand all | Collapse all

Kaspersky Security Center Linux enables you to use domain authentication over the Kerberos protocol. Domain authentication allows you to enable secure authentication in Kaspersky Security Center Web Console without having to re-enter the password on the corporate network (single sign-on).

You must first configure your domain controller to use Kerberos and generate a keytab file. For more information, refer to the documentation for your domain controller.

Generating a keytab file for FreeIPA and AldPro

To generate a keytab file:

  1. Create a user account to be used by IAM to access the domain controller.
  2. If the Administration Server is outside the FreeIPA/AldPro domain,add the DNS record entry and the host entry:

    ipa dnsrecord-add <zoneName> <recordName> --a-rec <Administration Server IP address>

    ipa host-add --password=<password> <Administration Server host address>

  3. Specify the PAC type when creating the HTTP service for the Administration Server:

    ipa service-add HTTP/<Administration Server host FQDN>@<DOMAIN WRITTEN IN CAPITAL LETTERS> --ok-to-auth-as-delegate=true --pac-type PAD

  4. Specify the user account for authentication:

    ipa service-allow-retrieve-keytab HTTP/<Administration Server host address>@<DOMAIN WRITTEN IN CAPITAL LETTERS> --user=<user>

  5. Export the keytab file:

    ipa-getkeytab -s <domain controller address> -p HTTP/<Administration Server host address>@<DOMAIN WRITTEN IN CAPITAL LETTERS> -k /tmp/h.keytab

Generating a keytab file for Microsoft Active Directory

To generate a keytab file:

  1. Create a user account to be used by IAM to communicate with the domain controller.
  2. Enable the following options for the user account:
    • User cannot change password
    • Kerberos AES 256-bit encryption

    You can enable the Password never expires option to avoid reissuing the keytab file each time the password expires.

  3. Add a Service Principal Name (SPN) to the user account:

    setspn -S HTTP/<Administration Server host FQDN> <DOMAIN WRITTEN IN CAPITAL LETTERS>\<user>

  4. Export the keytab file:

    ktpass -out C:\<folder>\<keytab file name> -princ HTTP/<Administration Server host FQDN>@<DOMAIN WRITTEN IN CAPITAL LETTERS> -mapuser <DOMAIN WRITTEN IN CAPITAL LETTERS>\<user> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass <user password> -mapop set

Generating a keytab file for Samba

To generate a keytab file:

  1. Create a user account to be used by IAM to communicate with the domain controller:

    samba-tool user add <user>

  2. Add the SPN to the user account:

    samba-tool spn add HTTP/<Administration Server host FQDN> <user>

  3. Export the keytab file:

    samba-tool domain exportkeytab /tmp/file.keytab --principal=HTTP/<Administration Server host FQDN>

Enabling Kerberos domain authentication

To enable Kerberos domain authentication:

  1. Perform domain controller polling.
  2. In the main menu, go to Settings Single sign-on.
  3. Enable the Kerberos authentication option.
  4. Upload the keytab file.
  5. Assign a role to domain users that gives access to Kaspersky Security Center Web Console.

    Kerberos domain authentication is enabled for domain users.

Page top