Configuring domain authentication by using NTLM and Kerberos protocols [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols.

NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions:

1. Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name.
   • In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>.
2. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. 
3. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser.

Details

SPN - Service Principal Name

Log in Domain Controller as Domain administrator.

• Open powershell as admin and run the following commands:

Powershell

setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service   setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service

Example

setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc   setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc   setspn.exe -L -u sales\ksc #command for check spn records   #Response   Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab:           HTTP/kscw-node-1.sales.lab           HTTP/kscw-node-2.sales.lab

Enable Kerberos/NTLM authentication in web browsers

• Microsoft Edge \  Internet Explorer

1. win + r => inetcpl.cpl
2. Activate the Security tab.
3. Select Local intranet and click Sites.
4. In the opened dialog box click Advanced.
5. Add the host name of Adaxes Web interface (e.g. host.company.com).
6. Click Close and then click OK.
7. Click Custom level.
8. Navigate to Scripting and enable Active scripting.
9. Navigate to User Authentication \ Logon.
10. Select Automatic logon only in Intranet zone and click OK.
11. Activate the Advanced tab.
12. In the Settings list, navigate to the Security section.
13. Select Enable Integrated Windows Authentication and click OK.

 

• Mozilla Firefox - https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication

1. Launch Mozilla Firefox
2. In the URL window, enter about:config and press Enter.
3. In the filter text box, enter network.negotiate.
4. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com).
5. Repeat previous step for the network.negotiate-auth.delegation-uris option.

 

• Google Chrome

1.  Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry
2.  Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry

[Samdy Prum]

Hi Antipova Anna,

Did we need to configure it in Kaspersky Security Center also or just run Powershell on DC to requester KCS service for the user and SPN?

[Antipova Anna]

Hello Samdy Prum!

No action needs to be taken on the KSC itself.

 

[Samdy Prum]

Hi Antipova Anna,

Thank now I understand.
But do we need to allow a group of users the right permission to SSO login to the KSC Web Console? Is it possible?

[Samdy Prum]

Hi Antipova Anna,
Seem it works for me now.
Thank you!

 

- Samdy.