Jump to content

Configuring domain authentication by using NTLM and Kerberos protocols [KSC for Windows]


Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols.

NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions:

  1. Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name.
    • In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>.
  2. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. 
  3. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser.

Details

SPN - Service Principal Name

Log in Domain Controller as Domain administrator.

  • Open powershell as admin and run the following commands:
Powershell
setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service
 
setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service
Example
setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc
 
setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc
 
setspn.exe -L -u sales\ksc #command for check spn records
 
#Response
 
Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab:
 
        HTTP/kscw-node-1.sales.lab
 
        HTTP/kscw-node-2.sales.lab

Enable Kerberos/NTLM authentication in web browsers

  • Microsoft Edge \  Internet Explorer
  1. win + r => inetcpl.cpl
  2. Activate the Security tab.
  3. Select Local intranet and click Sites.
  4. In the opened dialog box click Advanced.
  5. Add the host name of Adaxes Web interface (e.g. host.company.com).
  6. Click Close and then click OK.
  7. Click Custom level.
  8. Navigate to Scripting and enable Active scripting.
  9. Navigate to User Authentication \ Logon.
  10. Select Automatic logon only in Intranet zone and click OK.
  11. Activate the Advanced tab.
  12. In the Settings list, navigate to the Security section.
  13. Select Enable Integrated Windows Authentication and click OK.

 

  1. Launch Mozilla Firefox
  2. In the URL window, enter about:config and press Enter.
  3. In the filter text box, enter network.negotiate.
  4. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com).
  5. Repeat previous step for the network.negotiate-auth.delegation-uris option.

 

  • Google Chrome
  1.  Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry
  2.  Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry
  • 2 months later...
Samdy Prum
Posted

Hi Antipova Anna,

Did we need to configure it in Kaspersky Security Center also or just run Powershell on DC to requester KCS service for the user and SPN?

Antipova Anna
Posted

Hello Samdy Prum!

No action needs to be taken on the KSC itself.

 

Samdy Prum
Posted

Hi Antipova Anna,

Thank now I understand.
But do we need to allow a group of users the right permission to SSO login to the KSC Web Console? Is it possible?

Samdy Prum
Posted

Hi Antipova Anna,
Seem it works for me now.
Thank you!

 

- Samdy.

  • Like 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...