Active Directory Authentication

In This Section: Endpoint Security Active Directory Authentication Configuring Authentication Configuring Active Directory for Authentication Configuring Global Authentication Strengthening the LDAP Communication Troubleshooting Authentication in Server Logs Troubleshooting Authentication in Client Logs

Endpoint Security Active Directory Authentication

When an Endpoint Security client connects to the Endpoint Security Management Server, an authentication process identifies the endpoint client and the user currently working on that computer.

The system can function in different modes:

• Unauthenticated mode - Connecting computers and users working on them are not authenticated. They are trusted "by name". This operation mode is recommended for evaluation purposes only. While in Unauthenticated mode, the SmartEndpoint will show Unauthenticated Mode in its Status bar (at the bottom of the Console window).
• Strong Authentication mode - Each connecting computer and the user working on it are authenticated with the Endpoint Security Management Server, using industry-standard Kerberos protection through the Active Directory server.

  This option is only available for endpoints that are part of Active Directory.

The authentication process:

1. The Endpoint Security client (2) requests an authentication ticket (1) from the Active Directory server (3).
2. The Active Directory server sends the ticket to the client.
3. The client sends the ticket to the Endpoint Security Management Server.
4. The Endpoint Security Management Server returns an acknowledgment of authentication.

The default behavior after Security Management Server installation is Unauthenticated mode. It is recommended that you use this mode while you are evaluating Endpoint Security, in a lab environment; and that you change to Strong Authentication just before moving to a production environment. It is not recommended to continue to work in Unauthenticated mode after moving to production in a live environment.

Important - If you use Active Directory Authentication, Full Disk Encryption and Media Encryption & Port Protection are only supported on endpoint computers that are part of Active Directory. If you have endpoint computers in your environment that are not part of Active Directory, Full Disk Encryption and Media Encryption & Port Protection will not work on them.

Configuring Authentication

When you are ready to move to production and to set up Strong Authentication follow this process. Do not set up authentication before you are ready to move to production, and do not leave your production environment without authentication.

To efficiently move to Strong Authentication:

1. Configure the Active Directory for authentication.
2. Configure the Authentication Settings.
3. Install Policies.

   The server communicates to clients that they now work in Authenticated mode.

Configuring Active Directory for Authentication

Endpoint Security Strong Authentication uses the Kerberos network authentication protocol. To configure this service, run ktpass.exe from C:\Windows\System32.

• In Windows Server 2008, ktpass is included by default.

  Important - In the procedure below you create a user that is mapped to the ktpass service. After you create this user, do not make changes to it, for example, do not change the password. If you do change the user, the key version increases and you must update the Key version number in the Active Directory SSO Configuration window in the SmartEndpoint.

To prepare the Active Directory Server for authentication:

1. Run ktpass.exe.
2. Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers.
3. Create a domain user and clear the User must change password at next logon option.
4. Run this command to map a service to a user:

   Syntax:
   ktpass princ ServiceName/realm@REALM mapuser <userName>@REALM pass <userPass> out <name of outFile>

   Example:

   ktpass princ tst/nac1.com@NAC1.COM mapuser auth-user@NAC1.COM pass 123456 out outfile.keytab Where: ServiceName= tst realm (domain name)= NAC1.COM (in princ command: the first time in lower case and the second in upper case) userName = auth-user (user from item 4) userPass = 123456 ( password for user from item 4) name of outFile = outfile.keytab = encrypted keytab file

5. Save the console output to a text file. See the version number (vno) and encryption type (etype).

   Sample output:

   Targeting domain controller: nac1-dc.nac1.com Successfully mapped tst/nac1.com to auth-user. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to outfile.log: Keytab version: 0x502 keysize 74 tst/nac1.com@NAC1.COM ptype 0 (KRB5_NT_UNKNOWN) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x32ed87bdb5fdc5e9cba88547376818d4)
   		Important - We recommend that you do not use DES-based encryption for the Active Directory Domain Controller server, as it is not secure. If you choose to use DES encryption and your environment has Windows 7 clients, see sk64300.
   	Notes - Make sure that the time is less than 5 minutes apart on all Endpoint Security servers and the Kerberos server. If an Endpoint Security server and the Kerberos server are more than 5 minutes apart, a runtime exception shows and AD authentication fails. On Gaia - Use NTP or a similar service. To use Capsule Docs with Single Sign-on, disable User Access Control on Windows Active Directory Servers.

Configuring Global Authentication

You can configure the Authentication Settings for deployment packages.

Important - Use the Unauthenticated mode only for evaluation purposes. Never use this mode for production environments. Configure the authentication settings before moving to production.

To configure authentication settings:

1. In SmartEndpoint open Manage > Endpoint Authentication Settings.
2. Click Add.

   The Active Directory SSO Configuration window opens.

3. Enter the details of the configured Active Directory, taken from the output of ktpass, the Active Directory map service command.

   Field	Description
   Domain name	Active Directory domain name.
   Principle Name	Authentication service name in the format: SERVICE/realm@REALM This value must match what was done in Active Directory > New Object.
   Password	Enter (and confirm) the password of the Active Directory Domain Admin user you created for Endpoint Security use.
   Ticket encryption method	Select the encryption method according to the Active Directory output in the etype field.
   Key version number	Enter the version number according to the Active Directory output in the vno field.

4. Click OK.
5. When you are ready to work in Authentication mode, select Work in authenticated mode in the Authentication Settings pane.

   When you configure client package profiles, you will have to choose an authentication account. The SSO Configuration details will be included in the client package, allowing the server to authenticate the client.

Important - After turning on Strong Authentication, wait one minute before initiating any client operations. It will take time for the clients and the Endpoint Security Management Server to synchronize. During this time, the environment will remain unauthenticated, and some operations will fail. The exact amount of time depends on the synchronization interval.

Strengthening the LDAP Communication

By default Active Directory authentication uses the LDAP protocol and simple authentication method. You can change this to LDAPS with or without GSSAPI (Kerberos v5) authentication.

To change the authentication protocol to LDAPS, GSSAPI, or both:

1. Open the $UEPMDIR/engine/conf/ldap.utils.properties file.
2. Configure the protocol or protocols to use.
   • To configure LDAPS - Change use.ssl=false to use.ssl=true
   • To configure GSSAPI - Change use.gssapi=false to use.gssapi=true

   Both LDAPS and GSSAPI can be set to true.

3. Save.

For GSSAPI, no additional configuration is necessary.

Additional steps for LDAPS:

• Configure the Domain Controller to use LDAPS.
• Import all Domain Controller certificates to the Endpoint Security Management Server keystores.

To import a certificate to the Endpoint Security Management Servers (Primary and Secondary in High Availability):

1. Find the index of the SSL certificate: On a domain controller which is configured to support LDAPS, run: certutil -store -v MY

   The output of this command is a list of certificates. The certificates are separated by a line like this:

   ================ Certificate 0 ================, where 0 is the index number of the certificate.

2. Find a certificate that has:
   • Subject: DC FQDN
   • One of certificate extensions is Server Authentication OID 1.3.6.1.5.5.7.3.1.
3. Get that certificate’s index number this is number which appears in separation header before each certificate (in this example it is 0).

   ================ Certificate 0 ================ X509 Certificate: Version: 3 Serial Number: 610206fb000000000002 Signature Algorithm:     Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA     Algorithm Parameters:     05 00 Issuer:     CN=mulberry-DC-CA     DC=mulberry     DC=com NotBefore: 23/06/2014 13:12 NotAfter: 23/06/2015 13:12 Subject:     CN=DC.mulberry.com Public Key Algorithm: … Certificate Extensions: 9     1.3.6.1.4.1.311.20.2: Flags = 0, Length = 22     Certificate Template Name (Certificate Type)         DomainController     2.5.29.37: Flags = 0, Length = 16     Enhanced Key Usage         Client Authentication (1.3.6.1.5.5.7.3.2)         Server Authentication (1.3.6.1.5.5.7.3.1)

4. Download a certificate from the domain controller:

   certutil -store MY <certificate index> <file name>

   For example: certutil -store MY 0 C:\certificates\DCCert.cer

5. Import a certificate to Endpoint Security servers. Copy the file to the Endpoint Security servers (primary and secondary) and run:

   cd $CPDIR/jre_64

   ./bin/keytool -import -keystore ./lib/security/cacert -file <cert file name> -alias <alias>

   For example: ./bin/keytool -import -keystore ./lib/security/cacert -file /certif/DCCert.cer -alias DCSSLCert

6. Restart the Endpoint Security servers: uepm_stop, uepm_start.

Troubleshooting Authentication in Server Logs

To troubleshoot problems related to Active Directory Authentication, use the Authentication log on the Endpoint Security Management Server or Endpoint Policy Server in $UEPMDIR/logs/Authentication.log.

To see full debugging information in the Authentication.log file on a Gaia server:

1. On the Endpoint Security server, run: export TDERROR_ALL_KERBEROS_SERVER=5.
2. Restart the Endpoint Security server.

Results in Authentication.log

• If the Authentication.log file on the server shows:

  ERROR: Config file contains no principals.

  The database was cleaned or the process to include authentication in the client package was faulty. To fix:

  1. Repeat the process to configure authentication.
  2. Make a new client package.
  3. Restart the Endpoint Security server.
• If the Authentication.log file on the server shows:

  Permission denied in replay cache code

  Restart the Endpoint Security server.

• If the Authentication.log file on the server shows:

  Clock skew too great

  • Make sure that the Endpoint Security Management Server and all clients are synchronized with the Active Directory server.
  • Make sure that in the Windows Date and Time Properties window, the Automatically adjust clock for daylight saving changes option has the same value (selected or cleared) for all computers in the system, including the Active Directory server.
  • The following workaround is not recommended, for security reasons, but is offered if you cannot fix the clock skew error with synchronization changes.

    To ensure that authentication occurs even if the clocks of the client, the Endpoint Security Management Server and the Active Directory server are out of synch, define an acceptable skew. By default, the authentication clock skew is 3600 seconds. You can change the Endpoint Security settings. In $UEPMDIR/engine/conf/global.properties, add this line:
    authentication.clockSkew.secs=<seconds>, where you replace <seconds> with the clock skew in seconds that you want to allow.

• If the Authentication.log file on the server shows:

  Key version number for principal in key table is incorrect

  Update the Key version number in the Active Directory SSO Configuration window. You might have changed the user that is mapped to the ktpass service.

Troubleshooting Authentication in Client Logs

The Authentication.log file for each Endpoint Security client is on the client computer at %DADIR%/logs.

A normal log is:

[KERBEROS_CLIENT(KerberosLogger_Events)] : Credentials acquired for John@ACME-DOM.COM [KERBEROS_MESSAGE(KerberosLogger_Events)] : Message is Empty. [KERBEROS_CLIENT(KerberosLogger_Events)] : Security context is not yet established.continue needed.

If the Authentication.log file on the client shows:

No authority could be contacted for authentication.

The Endpoint Agent cannot find a Domain Controller to supply credentials. To fix this:

1. Make sure that the client is in the domain and has connectivity to your Domain Controller.
2. To authenticate with user credentials, log off and then log in again.

   To authenticate with device credentials, restart the computer.

If the Authentication.log file on the client shows:

The specified target is unknown or unreachable.

Check the service name. Make sure that there are no typing errors and that the format is correct. If there was an error, correct it in the Check Point Endpoint Security Management.