Jump to content

Configuring domain authentication by using NTLM and Kerberos protocols [KSC for Windows]

Recommended Posts

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols.

NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions:

  1. Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name.
    • In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>.
  2. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. 
  3. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser.


SPN - Service Principal Name

Log in Domain Controller as Domain administrator.

  • Open powershell as admin and run the following commands:
setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service
setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service
setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc
setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc
setspn.exe -L -u sales\ksc #command for check spn records
Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab:

Enable Kerberos/NTLM authentication in web browsers

  • Microsoft Edge \  Internet Explorer
  1. win + r => inetcpl.cpl
  2. Activate the Security tab.
  3. Select Local intranet and click Sites.
  4. In the opened dialog box click Advanced.
  5. Add the host name of Adaxes Web interface (e.g. host.company.com).
  6. Click Close and then click OK.
  7. Click Custom level.
  8. Navigate to Scripting and enable Active scripting.
  9. Navigate to User Authentication \ Logon.
  10. Select Automatic logon only in Intranet zone and click OK.
  11. Activate the Advanced tab.
  12. In the Settings list, navigate to the Security section.
  13. Select Enable Integrated Windows Authentication and click OK.


  1. Launch Mozilla Firefox
  2. In the URL window, enter about:config and press Enter.
  3. In the filter text box, enter network.negotiate.
  4. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com).
  5. Repeat previous step for the network.negotiate-auth.delegation-uris option.


  • Google Chrome
  1.  Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry
  2.  Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry
Link to comment
Share on other sites

  • 2 months later...

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...