Kerberos authentication


The Security Console does not currently support "Round Robin" Kerberos configurations.

Complete the following steps to configure a Kerberos integration as an external authentication source.

Define an external authentication source

  1. On the Administration page, go to Console > Authentication: 2FA and SSO.
  2. On the Security Console Configuration screen, click the Authentication tab.
  3. Under Kerberos Authentication Source Listing, click the Add Kerberos Source button.
  4. Click the Enable authentication source checkbox.
  5. Click the Default realm checkbox.
  6. Enter the name of the Kerberos realm.
  7. Enter the name of the key distribution center.
  8. Click Save.

The Authentication tab will now list your new Kerberos authentication source.

  1. Finally, click Save on the Security Console Configuration screen to finalize your authentication sources.

Create user accounts

With your external authentication source defined, you can now create accounts for your users.

  1. On the Administration page, click Users > User Management.
  2. Click Add User
  3. Complete all fields as required.

For more information about creating user accounts read our Managing users and authentication docs.


Password fields are disabled when external authentication sources are selected. The Security console does not control, or allow for, password changes for users authenticated by external sources.

Manually setting Kerberos encryption types

You can secure connections to the Kerberos source by specifying ticket encryption types for the connection to use.

  1. Using a text editor, create a text file named
  2. Add the following line to the file:
  1. Append this line with one or more encryption types as desired. Separate multiple types with a space. Example:
default_tkt_enctypes= aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96

Choose from any of the following encryption types:

  • des-cbc-md5
  • des-cbc-crc
  • des3-cbc-sha1
  • rc4-hmac
  • arcfour-hmac
  • arcfour-hmac-md5
  • aes128-cts-hmac-sha1-96
  • aes256-cts-hmac-sha1-96
  • gssapi
  • gss-spnego
  1. When finished, save the file in the <install_dir>/nsc/conf directory. The changes will be applied when the Security Console restarts.