Configuring domain authentication by using the NTLM and Kerberos protocols

April 17, 2023

ID 210700

Kaspersky Security Center 13.2 enables you to use domain authentication in OpenAPI by using the NTLM and Kerberos protocols. Using domain authentication allows a Windows user to enable secure authentication in Kaspersky Security Center 13.2 Web Console without having to re-enter the password on the corporate network (single sign-on).

Domain authentication in OpenAPI over the Kerberos protocol has the following restrictions:

  • The user of Kaspersky Security Center 13.2 Web Console must be authenticated in Active Directory by using the Kerberos protocol. The user must have a valid Kerberos Ticket Granting Ticket (also referred to as a TGT). A TGT is issued automatically when you authenticate to the domain.
  • You must configure Kerberos authentication in the browser. For details, refer to the documentation of the browser you are using.

If you want to use domain authentication by using Kerberos protocols, your network must meet the following conditions:

  • Administration Server must be run under the domain account name.
  • Kaspersky Security Center Web Console Server must be installed on the same device where the Administration Server is installed.
  • You must specify the following Service Principal Names (SPN) for the Administration Server account:
    • "http/<server.fqnd.name>"
    • "http/<server>"

    Here, <server> is the network name of the Administration Server device, and <server.fqnd.name> is the FQDN name of the Administration Server device.

  • When connecting to the Administration Console or Kaspersky Security Center Web Console, the Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered. You can specify either <serverhost.find.name> or <serverhost>.
  • For a password-free login, the browser process in which the Kaspersky Security Center Web Console is open as browser must run under a domain account.

Kerberos and NTLM protocols are only supported in OpenAPI for Kaspersky Security Center 13.2. They are not supported in OpenAPI for Kaspersky Security Center Linux.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.