Kerberos authentication

Read this first! Do you intend to enable InsightVM Platform Login?

InsightVM Platform Login is a newer, consolidated InsightVM product experience that permanently shifts authentication responsibility from the Security Console to the Insight Platform. Security Console-based authentication sources like the one detailed on this page are not usable with InsightVM Platform Login.

If you intend to enable InsightVM Platform Login soon for your user account, feel free to skip the procedure detailed on this page and head over to the InsightVM Platform Login documentation for enablement instructions and information on what external authentication sources the Insight Platform supports.

NOTE

The Security Console does not currently support "Round Robin" Kerberos configurations.

Complete the following steps to configure a Kerberos integration as an external authentication source.

Define an external authentication source

  1. On the Administration page, click Console > Authentication: 2FA and SSO.
  2. On the Security Console Configuration screen, click the Authentication tab.
  3. Under Kerberos Authentication Source Listing, click the Add Kerberos Source button.
  1. Click the Enable authentication source checkbox.
  2. Click the Default realm checkbox.
  3. Enter the name of the Kerberos realm.
  4. Enter the name of the key distribution center.
  5. Click Save.

The Authentication tab will now list your new Kerberos authentication source.

  1. Finally, click Save on the Security Console Configuration screen to finalize your authentication sources.

Create user accounts

With your external authentication source defined, you can now create accounts for your users.

  1. Click the Administration tab.
  2. Click Manage users under the Users section.
  3. Click Add User
  4. Complete all fields as required.

For more information about creating user accounts read our Managing users and authentication docs.

NOTE

Password fields are disabled when external authentication sources are selected. The Security console does not control, or allow for, password changes for users authenticated by external sources.

Manually setting Kerberos encryption types

You can secure connections to the Kerberos source by specifying ticket encryption types for the connection to use.

  1. Using a text editor, create a text file named kerberos.properties.
  2. Add the following line to the file:
 
1
default_tkt_enctypes=
  1. Append this line with one or more encryption types as desired. Separate multiple types with a space. Example:
 
1
default_tkt_enctypes= aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96

Choose from any of the following encryption types:

  • des-cbc-md5
  • des-cbc-crc
  • des3-cbc-sha1
  • rc4-hmac
  • arcfour-hmac
  • arcfour-hmac-md5
  • aes128-cts-hmac-sha1-96
  • aes256-cts-hmac-sha1-96
  • gssapi
  • gss-spnego
  1. When finished, save the file in the <install_dir>/nsc/conf directory. The changes will be applied when the Security Console restarts.