Kerberos authentication

NOTE

The Security Console does not currently support "Round Robin" Kerberos configurations.

Complete the following steps to configure a Kerberos integration as an external authentication source.

Define an external authentication source

  1. Click the Administration tab.
  2. Under “Authentication” window, click Manage console authentication: 2FA and SSO.
  3. On the “Security Console Configuration” screen, click the Authentication tab.
  4. Under “Kerberos Authentication Source Listing”, click the Add Kerberos Source button.
  1. Click the Enable authentication source checkbox.
  2. Click the Default realm checkbox.
  3. Enter the name of the Kerberos realm.
  4. Enter the name of the key distribution center.
  5. Click Save.

The Authentication tab will now list your new Kerberos authentication source. 10. Finally, click Save on the “Security Console Configuration” screen to finalize your authentication sources.

Create user accounts

With your external authentication source defined, you can now create accounts for your users.

  1. Click the Administration tab.
  2. Under “Users” click Manage users.
  3. Click New User.
  4. On the “User Configuration” screen’s General tab, select your new authentication method from the dropdown list.
  5. Complete all fields as required.

NOTE

Password fields are disabled when external authentication sources are selected. The Security console does not control, or allow for, password changes for users authenticated by external sources.

  1. Click Save when finished.

Manually setting Kerberos encryption types

You can secure connections to the Kerberos source by specifying ticket encryption types for the connection to use.

  1. Using a text editor, create a text file named kerberos.properties.
  2. Add the following line to the file:
 
1
default_tkt_enctypes=
  1. Append this line with one or more encryption types as desired. Separate multiple types with a space. Example:
 
1
default_tkt_enctypes= aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96

Choose from any of the following encryption types:

  • des-cbc-md5
  • des-cbc-crc
  • des3-cbc-sha1
  • rc4-hmac
  • arcfour-hmac
  • arcfour-hmac-md5
  • aes128-cts-hmac-sha1-96
  • aes256-cts-hmac-sha1-96
  • gssapi
  • gss-spnego
  1. When finished, save the file in the <install_dir>/nsc/conf directory. The changes will be applied when the Security Console restarts.