Transparent Kerberos Authentication Configuration

The Transparent KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication Single-Sign On (SSO) solution transparently authenticates users already logged into AD. This means that a user authenticates to the domain one time and has access to all authorized network resources without having to enter credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. for manual authentication.

Note - The Identity AgentClosed Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. The user does not see the Captive Portal.

SSO in Windows domains works with the Kerberos authentication protocol.

The Kerberos protocol is based on the concept of tickets, encrypted data packets issued by a trusted authority, Active Directory (AD). When a user logs in, the user authenticates to a domain controller that gives an initial ticket granting ticket (TGT). This ticket vouches for the user's identity.

In this solution, when an unidentified user is about to be redirected to the Captive Portal for identification:

  1. Captive Portal asks the browser for authentication.

  2. The browser shows a Kerberos ticket to the Captive Portal.

  3. Captive Portal sends the ticket to the gateway (the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway).

  4. The gateway decrypts the ticket, extracts the user's identity, and publishes it to all Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with Identity Awareness.

  5. The authorized and identified user is redirected to the originally requested URL.

  6. If transparent automatic authentication fails (steps 2-5), the user is redirected to the Captive Portal for identification.

Transparent Kerberos Authentication uses the GSS-API Negotiation Mechanism (SPNEGO) internet standard to negotiate Kerberos. This mechanism works like the mechanism that Identity Agents use to present the Kerberos ticket (see the Identity Awareness Clients Administration Guide).

You can configure SSO Transparent Kerberos Authentication to work with HTTP and/or HTTPS connections. HTTP connections work transparently with SSO Transparent Kerberos Authentication at all times. HTTPS connections work transparently only if the Security Gateway has a signed .p12 certificate. If the Security Gateway does not have a certificate, the user sees, and must respond to, the certificate warning message before a connection is made.

Configuration Overview

Transparent Kerberos Authentication SSO configuration includes these steps. They are described in details in this section.

Where applicable, the procedures give instructions for both HTTP and HTTPS configuration.

Creating a New User Account

  1. In Active Directory, open Active Directory Users and Computers (Start > Run > dsa.msc)

  2. Add a new user account.

    You can select one username and password. For example: a user account named ckpsso with the password qwe123!@# to the domain corp.acme.com.

  3. Clear the User must change password at next logon option and select Password Never Expires.

Mapping the User Account to a Kerberos Principal Name

Run the setspn utility to create a Kerberos principal name, used by the Security Gateway and the AD. A Kerberos principal name contains a service name (for the Security Gateway that browsers connect to) and the domain name (to which the service belongs).

setspn is a command line utility that is available for Windows Server 2000 and higher.

Configuring an Account Unit

If you already have an Account Unit from the Identity Awareness First Time Configuration Wizard, use that unit. Do not do the first five steps. Start with Step 6.

  1. Add a new host to represent the AD domain controller: In SmartConsole, open the Object Explorer (Ctrl+E) and click New > Host.

  2. Enter a name and IP address for the AD object.

  3. Click OK.

  4. Add a new LDAP Account Unit:

    In the Object Explorer, click New > More > User/Identity > LDAP Account Unit.

  5. In the General tab of the LDAP Account Unit:

    1. Enter a name.

    2. In Profile, select Microsoft_AD.

    3. In Domain, enter the domain name.

      Best Practice - Enter the domain for existing Account Units to use for Identity Awareness. If you enter a domain, it does not affect existing LDAP Account Units.

    4. Select CRL retrieval and User management.

  6. Click Active Directory SSO configuration and configure the values:

    1. Select Use Kerberos Single Sign On.

    2. Enter the domain name.

    3. Enter the account username you created in Creating a New User Account.

    4. Enter the account password for that user (the same password you configured for the account username in AD) and confirm it.

    5. Leave the default settings for Ticket encryption method.

    6. Click OK.

  7. In the Servers tab:

    1. Click Add and enter the LDAP Server properties.

    2. In Host, select the AD object you configured.

    3. In Login DN, enter the login DN of a predefined user (added in the AD) used for LDAP operations.

    4. Enter the LDAP user password and confirm it.

    5. In the Check Point Gateways are allowed to section, select Read data from this server.

    6. In the Encryption tab, select Use Encryption (SSL). Fetch the fingerprint. Click OK.

      Note - LDAP over SSL is not supported by default. If you did not configure your domain controller to support LDAP over SSL, configure it, or make sure Use Encryption (SSL) is not selected.

  8. In the Objects Management tab:

    1. In Server to connect, select the AD object you configured.

    2. Click Fetch Branches to configure the branches in use.

    3. Set the number of entries supported.

  9. In the Authentication tab, select Default authentication scheme > Check Point Password.

  10. Click OK.

Enabling Transparent Kerberos Authentication

  1. Log in to SmartConsole.

  2. From the left Navigation Toolbar, click Gateways & Servers.

  3. Open the Identity Awareness Gateway object.

  4. In the left tree, go to the Identity Awareness page.

  5. Click Browser-Based Authentication > Settings.

    The Captive Portal Settings window opens.

  6. In the Authentication Settings section, click Edit.

  7. Select Automatically authenticate users from machines in the domain.

    The Main URL field contains the URL (with IP address or Hostname) that is used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal.

  8. Click OK to close all windows.

  9. Install the Access Control Policy.

Browser Configuration

To work with Transparent Kerberos Authentication, it is necessary to configure your browser to trust Captive Portal URL. If the portal is working with HTTPS, you must in addition enter the URL in the Local Internet field through HTTPS.