Transparent Kerberos Authentication Configuration
The Transparent Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication Single-Sign On (SSO) solution transparently authenticates users already logged into AD. This means that a user authenticates to the domain one time and has access to all authorized network resources without having to enter credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. for manual authentication.
|
Note - The Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. The user does not see the Captive Portal. |
SSO in Windows domains works with the Kerberos authentication protocol.
The Kerberos protocol is based on the concept of tickets, encrypted data packets issued by a trusted authority, Active Directory (AD). When a user logs in, the user authenticates to a domain controller that gives an initial ticket granting ticket (TGT). This ticket vouches for the user's identity.
In this solution, when an unidentified user is about to be redirected to the Captive Portal for identification:
-
Captive Portal asks the browser for authentication.
-
The browser shows a Kerberos ticket to the Captive Portal.
-
Captive Portal sends the ticket to the gateway (the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway).
-
The gateway decrypts the ticket, extracts the user's identity, and publishes it to all Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with Identity Awareness.
-
The authorized and identified user is redirected to the originally requested URL.
-
If transparent automatic authentication fails (steps 2-5), the user is redirected to the Captive Portal for identification.
Transparent Kerberos Authentication uses the GSS-API Negotiation Mechanism (SPNEGO) internet standard to negotiate Kerberos. This mechanism works like the mechanism that Identity Agents use to present the Kerberos ticket (see Identity Awareness Clients Administration Guide).
You can configure SSO Transparent Kerberos Authentication to work with HTTP and/or HTTPS connections. HTTP connections work transparently with SSO Transparent Kerberos Authentication at all times. HTTPS connections work transparently only if the Security Gateway has a signed .p12
certificate. If the Security Gateway does not have a certificate, the user sees, and must respond to, the certificate warning message before a connection is made.
For more about Kerberos SSO, we recommend the MIT Kerberos web site and the Microsoft TechNet Library.
Configuration Overview
Transparent Kerberos Authentication SSO configuration includes these steps. They are described in details in this section.
-
AD configuration - Creating a user account and mapping it to a Kerberos principal name
-
For HTTP connections: (
HTTP/<captive portal full dns name>@DOMAIN
) -
For HTTPS connections: (
HTTPS/<captive portal full dns name>@DOMAIN
)
-
-
-
Creating an LDAP Account Unit and configuring it with SSO.
-
Enabling Transparent Kerberos Authentication on the Identity Awareness Gateway.
-
-
Endpoint client configuration - Configuring trusted sites in the browsers.
Where applicable, the procedures give instructions for both HTTP and HTTPS configuration.
Creating a New User Account
-
In Active Directory, open Active Directory Users and Computers (Start > Run > dsa.msc)
-
Add a new user account.
You can choose any username and password. For example: a user account named
ckpsso
with the passwordqwe123!@#
to the domaincorp.acme.com
. -
Clear User must change password at next logon and select Password Never Expires.
Mapping the User Account to a Kerberos Principal Name
Run the setspn
utility to create a Kerberos principal name, used by the Security Gateway and the AD. A Kerberos principal name contains a service name (for the Security Gateway that browsers connect to) and the domain name (to which the service belongs).
setspn
is a command line utility that is available for Windows Server 2000 and higher.
Install the correct setspn.exe
version on the AD server. The setspn.exe
utility is not installed by default in Windows 2003.
On Windows 2003:
-
Get the correct executable for your service pack from the Microsoft Support site before installation. It is part of the Windows 2003 support tools. For example, AD 2003 SP2 requires support tools for 2003 SP2.
-
Download the
support.cab
andsuptools.msi
files to a new folder on your AD server. -
Run the
suptools.msi
.
If you use Active Directory with Windows Server 2008 and above, the setspn
utility is installed on your server in the Windows\System32
folder. Run the command prompt as an Administrator.
|
Important - If you used the To remove the association, run:
If you do not do this, authentication will fail. |
-
Open the command line (Start > Run > cmd).
-
Run
setspn
with this syntax:For HTTP connections:
> setspn -A HTTP/<captive_portal_full_dns_name> <username>
Important - Make sure that you enter the command exactly as shown. All parameters are case sensitive.
Example:
> setspn -A HTTP/mycaptive.corp.acme.com ckpsso
The AD is ready to support Kerberos authentication for the Security Gateway.
To see users associated with the principle name, run: setspn -Q HTTP*/*
Configuring an Account Unit
If you already have an Account Unit from the Identity Awareness First Time Configuration Wizard, use that unit. Do not do the first five steps. Start with Step 6.
-
Add a new host to represent the AD domain controller: In SmartConsole, open the Object Explorer (Ctrl+E) and click New > Host.
-
Enter a name and IP address for the AD object.
-
Click OK.
-
Add a new LDAP Account Unit:
In the Object Explorer, click New > Server > LDAP Account Unit.
-
In the General tab of the LDAP Account Unit:
-
Enter a name.
-
In Profile, select Microsoft_AD.
-
In Domain, enter the domain name.
>
Best Practice - Enter the domain for existing Account Units to use for Identity Awareness. If you enter a domain, it does not affect existing LDAP Account Units.
-
Select CRL retrieval and User management.
-
-
Click Active Directory SSO configuration and configure the values:
-
Select Use Kerberos Single Sign On.
-
Enter the domain name.
-
Enter the account username you created in Creating a New User Account.
-
Enter the account password for that user (the same password you configured for the account username in AD) and confirm it.
-
Leave the default settings for Ticket encryption method.
-
Click OK.
-
-
In the Servers tab:
-
Click Add and enter the LDAP Server properties.
-
In Host, select the AD object you configured.
-
In Login DN, enter the login DN of a predefined user (added in the AD) used for LDAP operations.
-
Enter the LDAP user password and confirm it.
-
In the Check Point Gateways are allowed to section, select Read data from this server.
-
In the Encryption tab, select Use Encryption (SSL). Fetch the fingerprint. Click OK.
Note - LDAP over SSL is not supported by default. If you did not configure your domain controller to support LDAP over SSL, configure it, or make sure Use Encryption (SSL) is not selected.
-
-
In the Objects Management tab:
-
In Server to connect, select the AD object you configured.
-
Click Fetch Branches to configure the branches in use.
-
Set the number of entries supported.
-
-
In the Authentication tab, select Default authentication scheme > Check Point Password.
-
Click OK.
Enabling Transparent Kerberos Authentication
-
Log in to SmartConsole.
-
From the left Navigation Toolbar, click Gateways & Servers.
-
Open the Identity Awareness Gateway object.
-
In the left tree, go to the Identity Awareness page.
-
The Captive Portal Settings window opens.
-
In the Authentication Settings section, click Edit.
-
Select Automatically authenticate users from machines in the domain.
The Main URL field contains the URL (with IP address or Hostname) that is used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal.
-
Click OK to close all windows.
-
Install the Access Control Policy.
Browser Configuration
To work with Transparent Kerberos Authentication, it is necessary to configure your browser to trust Captive Portal URL. If the portal is working with HTTPS, you must also enter the URL in the Local Internet field using HTTPS.
It is not necessary to add the Captive Portal URL to Trusted Sites.
To configure Internet Explorer for Transparent Kerberos Authentication:
-
Open Internet Explorer.
-
Go to Internet Tools > Options > Security > Local intranet > Sites > Advanced.
-
Enter the Captive Portal URL in the applicable and then click Add.
If you have already configured Internet Explorer for Transparent Kerberos Authentication, that configuration also works with Chrome. Use this procedure only if you did not configure Internet Explorer for Transparent Kerberos Authentication.
To configure Google Chrome for Transparent Kerberos Authentication:
-
Open Chrome.
-
Click the menu (wrench) icon and select Settings.
-
Click Show advanced settings.
-
In the Network section, click Change Proxy Settings.
-
In the Internet Properties window, go to Security > Local intranet > Sites > Advanced.
-
Enter the Captive Portal URL in the applicable field.
For Firefox, the Negotiate authentication option is disabled by default. To use Transparent Kerberos Authentication, you must enable this option.
To configure Firefox for Transparent Kerberos Authentication:
-
Open Firefox.
-
In the URL bar, enter
about:config
-
Search for the
network.negotiate-auth.trusted-uris
parameter. -
Set the value to the DNS name of the Captive Portal Security Gateway. You can enter multiple URLs by separating them with a comma.