Kerberos authentication

Read this first! Do you intend to enable InsightVM Platform Login?

InsightVM Platform Login is a newer, consolidated InsightVM product experience that permanently shifts authentication responsibility from the Security Console to the Insight Platform. Security Console-based authentication sources like the one detailed on this page are not usable with InsightVM Platform Login.

If you intend to enable InsightVM Platform Login soon for your user account, feel free to skip the procedure detailed on this page and head over to the InsightVM Platform Login documentation for enablement instructions and information on what external authentication sources the Insight Platform supports.

NOTE

The Security Console does not currently support "Round Robin" Kerberos configurations.

Complete the following steps to configure a Kerberos integration as an external authentication source.

Define an external authentication source

  1. Click the Administration tab.
  2. In the Console > Authentication section, click Manage console authentication: 2FA and SSO.
  3. On the “Security Console Configuration” screen, click the Authentication tab.
  4. Under “Kerberos Authentication Source Listing”, click the Add Kerberos Source button.
  1. Click the Enable authentication source checkbox.
  2. Click the Default realm checkbox.
  3. Enter the name of the Kerberos realm.
  4. Enter the name of the key distribution center.
  5. Click Save.

The Authentication tab will now list your new Kerberos authentication source. 10. Finally, click Save on the “Security Console Configuration” screen to finalize your authentication sources.

Create user accounts

With your external authentication source defined, you can now create accounts for your users.

  1. Click the Administration tab.
  2. In the Users section, click Manage users.
  3. Click New User.
  4. On the “User Configuration” screen’s General tab, select your new authentication method from the dropdown list.
  5. Complete all fields as required.

NOTE

Password fields are disabled when external authentication sources are selected. The Security console does not control, or allow for, password changes for users authenticated by external sources.

  1. Click Save when finished.

Manually setting Kerberos encryption types

You can secure connections to the Kerberos source by specifying ticket encryption types for the connection to use.

  1. Using a text editor, create a text file named kerberos.properties.
  2. Add the following line to the file:
 
1
default_tkt_enctypes=
  1. Append this line with one or more encryption types as desired. Separate multiple types with a space. Example:
 
1
default_tkt_enctypes= aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96

Choose from any of the following encryption types:

  • des-cbc-md5
  • des-cbc-crc
  • des3-cbc-sha1
  • rc4-hmac
  • arcfour-hmac
  • arcfour-hmac-md5
  • aes128-cts-hmac-sha1-96
  • aes256-cts-hmac-sha1-96
  • gssapi
  • gss-spnego
  1. When finished, save the file in the <install_dir>/nsc/conf directory. The changes will be applied when the Security Console restarts.