Transparent Kerberos Authentication Configuration

The Transparent KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication Single-Sign On (SSO) solution transparently authenticates users already logged into AD. This means that a user authenticates to the domain one time and has access to all authorized network resources without having to enter credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. for manual authentication.

Note - The Identity AgentClosed Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. The user does not see the Captive Portal.

SSO in Windows domains works with the Kerberos authentication protocol.

The Kerberos protocol is based on the concept of tickets, encrypted data packets issued by a trusted authority, Active Directory (AD). When a user logs in, the user authenticates to a domain controller that gives an initial ticket granting ticket (TGT). This ticket vouches for the user's identity.

In this solution, when an unidentified user is about to be redirected to the Captive Portal for identification:

  1. Captive Portal asks the browser for authentication.

  2. The browser shows a Kerberos ticket to the Captive Portal.

  3. Captive Portal sends the ticket to the gateway (the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway).

  4. The gateway decrypts the ticket, extracts the user's identity, and publishes it to all Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with Identity Awareness.

  5. The authorized and identified user is redirected to the originally requested URL.

  6. If transparent automatic authentication fails (steps 2-5), the user is redirected to the Captive Portal for identification.

Transparent Kerberos Authentication uses the GSS-API Negotiation Mechanism (SPNEGO) internet standard to negotiate Kerberos. This mechanism works like the mechanism that Identity Clients use to present the Kerberos ticket (see Identity Awareness Clients Administration Guide).

You can configure SSO Transparent Kerberos Authentication to work with HTTP and/or HTTPS connections. HTTP connections work transparently with SSO Transparent Kerberos Authentication at all times. HTTPS connections work transparently only if the Security Gateway has a signed .p12 certificate. If the Security Gateway does not have a certificate, the user sees, and must respond to, the certificate warning message before a connection is made.

For more about Kerberos SSO, we recommend the MIT Kerberos web site and the Microsoft TechNet Library.

Configuration Overview

Transparent Kerberos Authentication SSO configuration includes these steps. They are described in details in this section.

Where applicable, the procedures give instructions for both HTTP and HTTPS configuration.

Creating a New User Account

  1. In Active Directory, open Active Directory Users and Computers (Start > Run > dsa.msc)

  2. Add a new user account.

    You can select one username and password. For example: a user account named ckpsso with the password qwe123!@# to the domain corp.acme.com.

  3. Clear the User must change password at next logon option and select Password Never Expires.

Mapping the User Account to a Kerberos Principal Name

Run the setspn utility to create a Kerberos principal name, used by the Security Gateway and the AD. A Kerberos principal name contains a service name (for the Security Gateway that browsers connect to) and the domain name (to which the service belongs).

setspn is a command line utility that is available for Windows Server 2000 and higher.

Install the correct setspn.exe version on the AD server. The setspn.exe utility is not installed by default in Windows 2003.

On Windows 2003:

  1. Get the correct executable for your service pack from the Microsoft Support site before installation. It is part of the Windows 2003 support tools. For example, AD 2003 SP2 must have support tools for 2003 SP2.

  2. Download the support.cab and suptools.msi files to a new folder on your AD server.

  3. Run the suptools.msi.

If you use Active Directory with Windows Server 2008 and above, the setspn utility is installed on your server in the Windows\System32 folder. Run the command prompt as an Administrator.

Important - If you used the setspn utility before, with the same principal name, but with a different account, you must delete the different account or remove the association to the principal name.

To remove the association, run:

setspn -D HTTP/ <captive_portal_full_dns_name> <old_account name>

If you do not do this, authentication fails.

  1. Open the command line (Start > Run > cmd).

  2. Run setspn with this syntax:

    For HTTP connections:

    > setspn -A HTTP/<captive_portal_full_dns_name> <username>

    Important - Make sure that you enter the command exactly as shown. All parameters are case sensitive.

    Example:

    > setspn -A HTTP/mycaptive.corp.acme.com ckpsso

    The AD is ready to support Kerberos authentication for the Security Gateway.

To see users associated with the principle name, run: setspn -Q HTTP*/*

Configuring an Account Unit

If you already have an Account Unit from the Identity Awareness First Time Configuration Wizard, use that unit. Do not do the first five steps. Start with Step 6.

  1. Add a new host to represent the AD domain controller: In SmartConsole, open the Object Explorer (Ctrl+E) and click New > Host.

  2. Enter a name and IP address for the AD object.

  3. Click OK.

  4. Add a new LDAP Account Unit:

    In the Object Explorer, click New > More > User/Identity > LDAP Account Unit.

  5. In the General tab of the LDAP Account Unit:

    1. Enter a name.

    2. In Profile, select Microsoft_AD.

    3. In Domain, enter the domain name.

      >

      Best Practice - Enter the domain for existing Account Units to use for Identity Awareness. If you enter a domain, it does not affect existing LDAP Account Units.

    4. Select CRL retrieval and User management.

  6. Click Active Directory SSO configuration and configure the values:

    1. Select Use Kerberos Single Sign On.

    2. Enter the domain name.

    3. Enter the account username you created in Creating a New User Account.

    4. Enter the account password for that user (the same password you configured for the account username in AD) and confirm it.

    5. Leave the default settings for Ticket encryption method.

    6. Click OK.

  7. In the Servers tab:

    1. Click Add and enter the LDAP Server properties.

    2. In Host, select the AD object you configured.

    3. In Login DN, enter the login DN of a predefined user (added in the AD) used for LDAP operations.

    4. Enter the LDAP user password and confirm it.

    5. In the Check Point Gateways are allowed to section, select Read data from this server.

    6. In the Encryption tab, select Use Encryption (SSL). Fetch the fingerprint. Click OK.

      Note - LDAP over SSL is not supported by default. If you did not configure your domain controller to support LDAP over SSL, configure it, or make sure Use Encryption (SSL) is not selected.

  8. In the Objects Management tab:

    1. In Server to connect, select the AD object you configured.

    2. Click Fetch Branches to configure the branches in use.

    3. Set the number of entries supported.

  9. In the Authentication tab, select Default authentication scheme > Check Point Password.

  10. Click OK.

Enabling Transparent Kerberos Authentication

  1. Log in to SmartConsole.

  2. From the left Navigation Toolbar, click Gateways & Servers.

  3. Open the Identity Awareness Gateway object.

  4. In the left tree, go to the Identity Awareness page.

  5. Click Browser-Based AuthenticationClosed Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. > Settings.

    The Captive Portal Settings window opens.

  6. In the Authentication Settings section, click Edit.

  7. Select Automatically authenticate users from machines in the domain.

    The Main URL field contains the URL (with IP address or Hostname) that is used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal.

  8. Click OK to close all windows.

  9. Install the Access Control Policy.

Browser Configuration

To work with Transparent Kerberos Authentication, it is necessary to configure your browser to trust Captive Portal URL. If the portal is working with HTTPS, you must in addition enter the URL in the Local Internet field through HTTPS.

It is not necessary to add the Captive Portal URL to Trusted Sites.

To configure Internet Explorer for Transparent Kerberos Authentication:

  1. Open Internet Explorer.

  2. Go to Internet Tools > Options > Security > Local intranet > Sites > Advanced.

  3. Enter the Captive Portal URL in the applicable and then click Add.

If your Internet Explorer for Transparent Kerberos Authentication is already configured, then this configuration works with Chrome. Use this procedure only if you did not configure Internet Explorer for Transparent Kerberos Authentication.

To configure Google Chrome for Transparent Kerberos Authentication:

  1. Open Chrome.

  2. Click the menu (wrench) icon and select Settings.

  3. Click Show advanced settings.

  4. In the Network section, click Change Proxy Settings.

  5. In the Internet Properties window, go to Security > Local intranet > Sites > Advanced.

  6. Enter the Captive Portal URL in the applicable field.

For Firefox, the Negotiate authentication option is disabled by default. To use Transparent Kerberos Authentication, you must enable this option.

To configure Firefox for Transparent Kerberos Authentication:

  1. Open Firefox.

  2. In the URL bar, enter about:config

  3. Search for the network.negotiate-auth.trusted-uris parameter.

  4. Set the value to the DNS name of the Captive Portal Security Gateway. You can enter multiple URLs by separating them with a comma.