Print Download PDF Send Feedback

Previous

Next

Transparent Kerberos Authentication Configuration

The Transparent Kerberos Authentication Single-Sign On (SSO) solution transparently authenticates users already logged into AD. This means that a user authenticates to the domain one time and has access to all authorized network resources without having to enter credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive Portal for manual authentication.

Note -The Endpoint Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. The user does not see the Captive Portal.

SSO in Windows domains works with the Kerberos authentication protocol.

The Kerberos protocol is based on the concept of tickets, encrypted data packets issued by a trusted authority, Active Directory (AD). When a user logs in, the user authenticates to a domain controller that gives an initial ticket granting ticket (TGT). This ticket vouches for the user's identity.

In this solution, when an unidentified user is about to be redirected to the Captive Portal for identification:

  1. Captive Portal asks the browser for authentication.
  2. The browser shows a Kerberos ticket to the Captive Portal.
  3. Captive Portal sends the ticket to the gateway (the Identity Awareness Gateway).
  4. The gateway decrypts the ticket, extracts the user's identity, and publishes it to all Security Gateways with Identity Awareness.
  5. The authorized and identified user is redirected to the originally requested URL.
  6. If transparent automatic authentication fails (steps 2-5), the user is redirected to the Captive Portal for identification.

Transparent Kerberos Authentication uses the GSS-API Negotiation Mechanism (SPNEGO) internet standard to negotiate Kerberos. This mechanism works like the mechanism that Endpoint Identity Agents use to present the Kerberos ticket.

You can configure SSO Transparent Kerberos Authentication to work with HTTP and/or HTTPS connections. HTTP connections work transparently with SSO Transparent Kerberos Authentication at all times. HTTPS connections work transparently only if the Security Gateway has a signed .p12 certificate. If the Security Gateway does not have a certificate, the user sees, and must respond to, the certificate warning message before a connection is made.

For more about Kerberos SSO, we recommend the MIT Kerberos web site and the Microsoft TechNet Library.

Configuration Overview

Transparent Kerberos Authentication SSO configuration includes these steps. They are described in details in this section.

Where applicable, the procedures give instructions for both HTTP and HTTPS configuration.

Creating a New User Account

  1. In Active Directory, open Active Directory Users and Computers (Start->Run->dsa.msc)
  2. Add a new user account.

    You can choose any username and password. For example: a user account named ckpsso with the password qwe123!@# to the domain corp.acme.com.

  3. Clear User must change password at next logon and select Password Never Expires.

Mapping the User Account to a Kerberos Principal Name

Run the setspn utility to create a Kerberos principal name, used by the Security Gateway and the AD. A Kerberos principal name contains a service name (for the Security Gateway that browsers connect to) and the domain name (to which the service belongs).

setspn is a command line utility that is available for Windows Server 2000 and higher.

Installing setspn.exe

Install the correct setspn.exe version on the AD server. The setspn.exe utility is not installed by default in Windows 2003.

To get the correct executable:

On Windows 2003:

  1. Get the correct executable for your service pack from the Microsoft Support site before installation. It is part of the Windows 2003 support tools. For example, AD 2003 SP2 requires support tools for 2003 SP2.
  2. Download the support.cab and suptools.msi files to a new folder on your AD server.
  3. Run the suptools.msi.

If you use Active Directory with Windows Server 2008 and above, the setspn utility is installed on your server in the Windows\System32 folder. Run the command prompt as an Administrator.

Using setspn

Important - If you used the setspn utility before, with the same principal name, but with a different account, you must delete the different account or remove the association to the principal name.
To remove the association, run:
setspn -D HTTP/<captive_portal_full_dns_name> <old_account name>

If you do not do this, authentication will fail.

To use setspn:

  1. Open the command line (Start > Run > cmd).
  2. Run setspn with this syntax:

    For HTTP connections:

    > setspn -A HTTP/<captive_portal_full_dns_name> <username>

    For HTTPS connections:

    > setspn -A HTTPS/<captive_portal_full_dns_name> <username>

    Important - Make sure that you enter the command exactly as shown. All parameters are case sensitive.

    Example:

    > setspn -A HTTP/mycaptive.corp.acme.com ckpsso

    The AD is ready to support Kerberos authentication for the Security Gateway.

To see users associated with the principle name, run: setspn -Q HTTP*/*

Configuring an Account Unit

If you already have an Account Unit from the Identity Awareness First Time Configuration Wizard, use that unit. Do not do the first steps. Start with: "Click Active Directory SSO configuration and configure the values".

To configure an Account Unit:

  1. Add a new host to represent the AD domain controller: In SmartConsole, open the Object Explorer (Ctrl+E) and click New > Host.
  2. Enter a name and IP address for the AD object.
  3. Click OK.
  4. Add a new LDAP Account Unit:

    In the Object Explorer, click New > Server > LDAP Account Unit.

  5. In the General tab of the LDAP Account Unit:
    1. Enter a name.
    2. In Profile, select Microsoft_AD.
    3. In Domain, enter the domain name.

      Best Practice - Enter the domain for existing Account Units to use for Identity Awareness. If you enter a domain, it does not affect existing LDAP Account Units.

    4. Select CRL retrieval and User management.
  6. Click Active Directory SSO configuration and configure the values:
    1. Select Use Kerberos Single Sign On.
    2. Enter the domain name.
    3. Enter the account username you created in Creating a New User Account.
    4. Enter the account password for that user (the same password you configured for the account username in AD) and confirm it.
    5. Leave the default settings for Ticket encryption method.
    6. Click OK.
  7. In the Servers tab:
    1. Click Add and enter the LDAP Server properties.
    2. In Host, select the AD object you configured.
    3. In Login DN, enter the login DN of a predefined user (added in the AD) used for LDAP operations.
    4. Enter the LDAP user password and confirm it.
    5. In the Check Point Gateways are allowed to section, select Read data from this server.
    6. In the Encryption tab, select Use Encryption (SSL). Fetch the fingerprint and click OK.

      Note - LDAP over SSL is not supported by default. If you did not configure your domain controller to support LDAP over SSL, configure it, or make sure Use Encryption (SSL) is not selected.

  8. In the Objects Management tab:
    1. In Server to connect, select the AD object you configured.
    2. Click Fetch Branches to configure the branches in use.
    3. Set the number of entries supported.
  9. In the Authentication tab, select Default authentication scheme > Check Point Password.
  10. Click OK.

Enabling Transparent Kerberos Authentication

  1. Log in to SmartConsole.
  2. From the left Navigation Toolbar, click Gateways & Servers.
  3. Open the Identity Awareness Gateway object.
  4. In the left tree, go to the Identity Awareness page.
  5. Click Browser-Based Authentication > Settings.

    The Portal Settings window opens.

  6. In the Authentication Settings section, click Edit.
  7. Select Automatically authenticate users from machines in the domain.

    The Main URL field contains the URL (with IP address or Hostname) that is used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal.

  8. Click OK to close all windows.
  9. Install the Access Policy.

Browser Configuration

To work with Transparent Kerberos Authentication, it is necessary to configure your browser to trust Captive Portal URL. If the portal is working with HTTPS, you must also enter the URL in the Local Internet field using HTTPS.

Internet Explorer

It is not necessary to add the Captive Portal URL to Trusted Sites.

To configure Internet Explorer for Transparent Kerberos Authentication:

  1. Open Internet Explorer.
  2. Go to Internet Tools > Options > Security > Local intranet > Sites > Advanced.
  3. Enter the Captive Portal URL in the applicable and then click Add.

Google Chrome

If you have already configured Internet Explorer for Transparent Kerberos Authentication, that configuration also works with Chrome. Use this procedure only if you did not configure Internet Explorer for Transparent Kerberos Authentication.

To configure Google Chrome for Transparent Kerberos Authentication:

  1. Open Chrome.
  2. Click the menu (wrench) icon and select Settings.
  3. Click Show advanced settings.
  4. In the Network section, click Change Proxy Settings.
  5. In the Internet Properties window, go to Security > Local intranet > Sites > Advanced.
  6. Enter the Captive Portal URL in the applicable field.

Firefox

For Firefox, the Negotiate authentication option is disabled by default. To use Transparent Kerberos Authentication, you must enable this option.

To configure Firefox for Transparent Kerberos Authentication:

  1. Open Firefox.
  2. In the URL bar, enter about:config
  3. Search for the network.negotiate-auth.trusted-uris parameter.
  4. Set the value to the DNS name of the Captive Portal Security Gateway. You can enter multiple URLs by separating them with a comma.