Configuring Active Directory for Authentication

Endpoint Security Strong Authentication uses the Kerberos network authentication protocol. To configure this service, run ktpass.exe from C:\Windows\System32 on the Active Directory Server.

• In Windows Server 2008, ktpass is included by default.
• In Windows Server 2003, ktpass is included in the Microsoft Windows Server 2003 Support Tools Package. If you do not have this installed, download the suptools.msi file from here.

  Important - In the procedure below you create a user that is mapped to the ktpass service. After you create this user, do not make changes to it, for example, do not change the password. If you do change the user, the key version increases and you must update the Key version number in the Active Directory SSO Configuration window in the SmartEndpoint.

To prepare the Active Directory Server for authentication:

1. Run ktpass.exe
2. Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers.
3. Create a domain user and clear the User must change password at next logon option.
4. Run this command to map a service to a user:

   Syntax:
   ktpass princ ServiceName/realm@REALM mapuser <userName>@REALM pass <userPass> out <name of outFile>

   Example:

   ktpass princ tst/nac1.com@NAC1.COM mapuser auth-user@NAC1.COM pass 123456 out outfile.keytab Where: ServiceName= tst realm (domain name)= NAC1.COM (in princ command: the first time in lower case and the second in upper case) userName = auth-user (user from item 4) userPass = 123456 ( password for user from item 4) name of outFile = outfile.keytab = encrypted keytab file

5. Save the console output to a text file. See the version number (vno) and encryption type (etype).

   Sample output:

   Targeting domain controller: nac1-dc.nac1.com Successfully mapped tst/nac1.com to auth-user. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to outfile.log: Keytab version: 0x502 keysize 74 tst/nac1.com@NAC1.COM ptype 0 (KRB5_NT_UNKNOWN) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x32ed87bdb5fdc5e9cba88547376818d4)
   		Important - We recommend that you do not use DES-based encryption for the Active Directory Domain Controller server, as it is not secure. If you choose to use DES encryption and your environment has Windows 7 clients, see sk64300.
   	Notes - Make sure that the time is less than 5 minutes apart on all Endpoint Security servers and the Kerberos server. If an Endpoint Security server and the Kerberos server are more than 5 minutes apart, a runtime exception shows and AD authentication fails. On Gaia - Use NTP or a similar service. On Windows - Use Windows Time Service Tools or a similar service. To use Capsule Docs with Single Sign-on, disable User Access Control on Windows Active Directory Servers.