Kerberos Single Sign On

The UserCheck agent supports single sign on through the Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). network authentication protocol. Kerberos is the default authentication protocol used in Windows 2000 domains and above.

The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted authority, in this case the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket vouches for the user's identity.

When the user needs to authenticate against the DLP Gateway through the UserCheck agent, the agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (the DLP Gateway). The UserCheck agent presents this service ticket to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

For more detailed information on Kerberos SSO, see:

• http://web.mit.edu/Kerberos/

• http://technet.microsoft.com/en-us/library/bb742433.aspx

Single Sign-On Configuration has two steps:

• AD Configuration

  You create a user account and map it to a Kerberos primary name.

  Performing AD Configuration

  The AD configuration involves:

  • Creating a New User Account

  • Mapping the User Account to a Kerberos Principle Name

  Creating a new User Account

  1. In Active Directory, open Active Directory Users and Computers (Start > Run > dsa.msc)

  2. Add a new user account. You can select any username and password.

     For example: a user account named ckpsso with the password qwe123!@# to the domain corp.acme.com

  3. Clear User must change password at next logon and select Password Never Expires.

  Mapping the User Account to a Kerberos Principle Name

  This step uses the ktpass utility to create a Kerberos principal name that is used by both the Security Gateway and the AD. A Kerberos principal name consists of a service name (for the DLP Gateway that the UserCheck agent connect to) and the domain name to which the service belongs.

  The ktpass is a command-line tool available in Windows 2000 and higher.

  Retrieving the correct executable

  You must install the correct ktpass.exe version on the AD. Ktpass.exe is not installed by default in Windows 2003.

  • Windows 2003:

    1. Retrieve the correct executable for your service pack from the Microsoft Support site prior to installation. It is part of the Windows 2003 support tools. For example, AD 2003 SP2 requires support tools for 2003 sp2.

    2. Download the support.cab and suptools.msi files to a new folder on your AD server.

    3. Run the suptools.msi.

  • Active Directory 2008:

    The ktpass utility is already installed on your server in the Windows\System32 folder and you can run the command line. You need to open the command prompt as an administrator by right clicking it and selecting "run as an Administrator".

  Use the ktpass

  1. Open a command line to run the ktpass tool (Start > Run > cmd).

  2. At the command prompt, run ktpass with this syntax:

     ktpass -princ ckp_pdp/domain_name@DOMAIN_NAME -mapuser username@domain_name -pass password -out unix.keytab -crypto RC4-HMAC-NT

     Important - Enter the command exactly as shown. It is case-sensitive.

     This is an example of running ktpass with these parameters:

     Parameter	Value
     domain_name@DOMAIN_NAME	corp.acme.com@CORP.ACME.COM
     username@domain_name	ckpsso@corp.acme.com
     password	qwe123@#

  The AD is ready to support Kerberos authentication for the Security Gateway.

  The example above shows the ktpass syntax on Windows 2003. When using Windows 2008/2008 R2 Server, the ktpass syntax is slightly different. Parameters are introduced using a forward slash "/" instead of a hyphen "-".

  Example (Windows 2008)

  ktpass /princ ckp_pdp/corp.acme.com@CORP.ACME.COM /mapuser ckpsso@corp.acme.com /pass qweQWE!@# /out unix.keytab /crypto RC4-HMAC-NT

  Authentication Failure

  Authentication fails if you used the ktpass utility before for the same principal name (ckp_pdp/domain_name@DOMAIN_NAME) but with a different account.

  If you have used the ktpass utility before:

  1. On the AD server, run:

     ldifde -f check_SPN.txt -t 3268 -d "dc=corp,dc=acme,dc=com" -l servicePrincipalName -r "(servicePrincipalName=ckp_pdp*)" -p subtree

  2. Open the check_SPN.txt file and verify that only one record is present.

     If multiple records exist, you must delete the different account or remove its association to the principal name.

     Remove the association with the principle name by running:

     settspn -D ckp_pkp/domain_name old_account name.

     For example:

     setspn -D ckp_pdp/corp.acme.com ckpsso

• SmartConsole Configuration

  You create an LDAP Account Unit and configure it to support SSO.

  Configuring SmartConsole for DLP SSO

  Configure the object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. for an LDAP Account Unit to support SSO.

  To create a host object for the AD server:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Click New > Host.

  3. Configure the settings for the host.

  4. Click OK.

  5. Publish the SmartConsole session.

  To configure the LDAP account unit:

  1. From the Object Explorer, click New > Server > LDAP Account Unit.

  2. In the General tab of the LDAP Account Unit Properties window, enter these settings:

     1. Enter the Name.

     2. In Profile, select Microsoft_AD.

     3. In the Domain field, enter the domain name.

        Best Practice - Configure this field for account units that you want to use for Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.. This setting does not affect other LDAP Account Units.

     4. Select CRL retrieval and User management.

  3. Click Active Directory SSO configuration.

  4. In the Active Directory SSO configuration window, configure these settings:

     1. Select Use Kerberos Single Sign On.

     2. Enter the Domain Name.

     3. Enter the Account Name and Password for the AD account.

     4. Do not change the default settings for Ticket encryption method.

     5. Click OK.

  5. Configure these settings in the Servers tab:

     1. Click Add.

     2. In Host, select the host object for the AD server.

     3. Enter the Login DN of the user (added in the AD) for LDAP operations.

     4. Enter the Password and confirm it.

     5. In the Check Point Gateways are allowed to section, make sure that Read data from this server is selected.

  6. Click the Encryption tab, and configure these settings:

     1. Click Use Encryption (SSL).

     2. Click Fetch.

     3. Click OK.

     Note - LDAP over SSL is not supported by default. If you have not configured your domain controller to support LDAP over SSL, either skip step 6 or configure your domain controller to support LDAP over SSL.

  7. Click the Objects Management tab, and configure these settings:

     1. In the Manage objects on field, select the host object for the AD server

     2. Click Fetch Branches to configure the branches in use.

     3. Set the number of entries supported.

  8. Click the Authentication tab, and configure these settings:

     1. In the Users's default values section, click Default authentication scheme.

     2. Select Check Point Password.

  9. Click OK.

  10. Publish the SmartConsole session.