6.3.5. Kerberos authentication

Authentication via Kerberos enables you with a transparent (without entering usernames and passwords) authentication of the Active Directory domain users. During Kerberos-based authentication, the UserGate server is communicating with domain controllers to authorize user who wants to gain access to the Internet.

Kerberos authentication can work both when a proxy server is explicitly provided in a user browser (standard mode) or when no proxy server is provided (transparent mode).

To set up authentication through Kerberos, perform the following steps:

Name

Description

Step 1. Create a DNS record for the UserGate server.

On a domain controller, create DNS records corresponding to your UserGate serve domains for auth.captive and logout.captive, e.g. auth.domain.loc and logout.domain.loc.

As an IP address, provide the address of your UserGate interface connected to the Trusted network.

Important! Create A-type DNS records, do not use CNAME records.

Step 2. Create a new user for your UserGate server.

Create a new user in the AD domain, e.g. kerb@domain.loc, and enable the password never expires option. Set up a password for user 'kerb'.

Important! Do not use characters from national alphabets, such as Cyrillic letters, in user names and Active Directory organizational units where you are going to create account for user 'kerb'.

Important! Do not utilize for Kerberos the user that was previously created for the LDAP connector. Make sure to create a new account.

Step 3. Create a keytab file.

On the domain controller, create a keytab file using the following command running as the administrator (it is a one-line command!):

ktpass.exe /princ HTTP/auth.domain.loc@DOMAIN.LOC /mapuser kerb@DOMAIN.LOC /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass * /out C:\utm.keytab

Enter the password previously set for user 'kerb'.

Important! This command is case-sensitive. In this example:
auth.domain.loc is the DNS record create for your UserGate server in Step 1
DOMAIN.LOC is the Kerberos realm domain, in capital letters only!
kerb@DOMAIN.LOC is the domain user name created in Step 2, name of the realm domain in capital letters only!

Step 4. Set up DNS servers in UserGate.

In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers.

Step 5. Set up synchronization of time with the domain controller.

In the General settings, enable synchronization of time with NTP servers and provide IP addresses of the domain controllers as the primary and secondary NTP servers.

Step 6. Change the address for Captive portal auth domains.

Replace the address in Captive portal auth domain and optionally the address in Captive portal logout domain in the General settings section with the DNS records created in the previous step. For more details on how to change domain addresses for the Captive portal auth and logout domains, please refer to General settings.

Step 7. Create an LDAP connector and upload a keytab file to it.

Create a new LDAP connector and upload the keytab file created in the previous step. For more details on LDAP connectors, please refer to LDAP connector.

Step 8. Create a Captive portal rule with Kerberos authentication.

Set up the Captive portal for authentication through Kerberos. For more details on the Captive portal, please refer to the next chapters of the Guide.

Step 9. Allow access to HTTP(S) for the zone.

In the Zones section, allow access to HTTP(S) proxy for the zone to which the users who authorize through Kerberos are connected.

Step 10. Set up the proxy server on user workstations to enable standard authentication.

On the user workstations, enable mandatory use of the proxy server as the UTM's FQDN name created in Step 3.

Step 11. For authentication in the transparent mode, set up automatic user authentication by a browser across all browser's security zones.

On the user workstations, go to Control panel-->Internet options-->Security, select Internet--> Security-->Custom level-->User Authentication and enable Automatic logon with current name and password.

Repeat this configuration for all other zones available on a given workstation (Local intranet, Trusted sites).