6.3.6. Kerberos Authentication Method

The Kerberos option enables transparent (i.e., without requesting a username and password) authorization of Active Directory domain users. When performing authorization via Kerberos, the UserGate server works with domain controllers that authenticate the user for Internet access.

Kerberos authentication can work both with a proxy explicitly set in the user's browser (this is the standard mode) and in the transparent mode with no proxy set in the browser.

To configure authorization using Kerberos, follow these steps:



Step 1. Create DNS records for the UserGate server.

On the domain controller, create DNS records corresponding to the UserGate server to be used as the auth.captive and logout.captive domains (e.g., auth.domain.loc and logout.domain.loc).

Point it to the IP address of a UserGate interface connected to the Trusted network.

Important! For correct operation, create type A records rather than CNAME.

Step 2. Create a user for the UserGate server.

Create a user in the AD domain, such as kerb@domain.loc, with the password never expires option. Set a password for user kerb.

Important! Do not use characters from national alphabets, such as Cyrillic, in the names of the kerb user or in the Active Directory organization units where you plan to create this user account.

Important! Do not use the user created for the LDAP connector as the kerb user. A separate user account needs to be used.

Step 3. Create a keytab file.

On the domain controller, create a keytab file by invoking the following command as an administrator (in one line!):

ktpass.exe /princ HTTP/auth.domain.loc@DOMAIN.LOC /mapuser kerb@DOMAIN.LOC /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass * /out C:\utm.keytab

Enter the password for user kerb.

Important! The command is case-sensitive. In the above example:

auth.domain.loc is the DNS record created for the UserGate server at Step 1;

DOMAIN.LOC is the Kerberos realm domain (UPPERCASE required!); and

kerb@DOMAIN.LOC is the username in the domain created at Step 2 (again, UPPERCASE required for the realm domain name!).

Step 4. Configure DNS servers in UserGate.

In the UserGate settings, set the domain controller's IP addresses as the system DNS servers.

Step 5. Configure time synchronization with the domain controller.

In UserGate settings, turn on time synchronization with NTP servers. Specify the IP addresses of the domain controllers as the primary and (optionally) secondary NTP server.

Step 6. Change the Captive portal auth domain address.

In the General settings section, change the Captive portal auth domain and (optionally) Captive portal logout domain addresses to the DNS records created at the previous step. For more details on changing domain addresses, see the section General Settings.

Step 7. Create an LDAP connector and upload the keytab file to it.

Create an authentication server of type LDAP connector and upload the keytab file obtained at the previous step.

Important! Do not use the special Kerberos user created earlier as the user for the LDAP connector. A separate user account needs to be used.

For more details on configuring an LDAP connector, see the section LDAP Connector.

Step 8. Create a captive portal rule with Kerberos authentication.

Configure the captive portal for using the Kerberos authentication method. For more details on the captive portal, see the section Captive Portal Configuration.

Step 9. Enable HTTP(S) service access for the zone.

In the Zones section, enable access to the HTTP(S) proxy service for the zone to which the users authorized using Kerberos are connected.

Step 10. For standard-mode authorization, configure the proxy on the user computers.

On user computers, turn on mandatory proxy use and specify the proxy as the UserGate FQDN created at Step 3.

Step 11. For transparent-mode authorization, configure automatic browser-based user authentication for all zones.

On user computers, go to Control panel --> Internet options --> Security, select the zone Internet --> Custom level --> User Authentication --> Logon and enable Automatic login with current name and password.

Repeat this setting for all other zones configured on this computer (Local intranet, Trusted sites).


To enable authorization using HTTPS request traffic decryption on the NGFW must be configured. The Decrypt All for Unknown Users rule that enables traffic inspection for unauthorized users is created by default.