Kerberos KDC and basic authentication

Using this method of authentication, users are automatically authenticated against a Kerberos Key Distribution Center (KDC), and do not need to enter authentication details when connecting their browser to the Web Gateway. If the user's browser cannot authenticate using Kerberos, Basic Authentication is tried, and the user is prompted to enter their user name and password.

Configure authentication

  1. From the System Center Home page, click Proxy Settings > Authentication Settings.
  2. Beside the User Authentication is Disabled/Enabled section, click Click here to change these settings.
  3. Select Kerberos Authentication and Basic Authentication using Kerberos Distribution Center and click Save.
  4. Beside the Basic Realm Identifier section, click Click here to change these settings.

  5. Type the name of the Basic Realm identifier to be used and click Save.

    The realm appears in the authentication dialog that appears in the client's browser, enabling the user to determine why they are being asked to authenticate. It is cached by the browser, along with the user name and password for the duration of the session. The default Basic Realm identifier is 'Clearswift SECURE Web Gateway'.

  6. Beside the Kerberos Distribution Center section, click Click here to change these settings.
  7. Click New to add a KDC. The New Kerberos Distribution Center dialog appears.

  8. Enter the fully qualified domain name of the distribution center that will validate a user's authentication details. You can also add a comment about this KDC. Click Add.

    The new KDC is added to the list.

    You can edit any of the KDCs in the list at any time using the steps in Edit authentication.

  If you are using Kerberos authentication, Network Time Protocol (NTP) must be enabled. You configure this setting on the System Time Settings page.

After you have applied your configuration, you can verify that users are being correctly authenticated.

Edit authentication

  1. In the Kerberos Distribution Centers section, select the KDC that you want to change and click Edit. Only one KDC can be edited at a time.

    The Edit KDC dialog appears.

  2. Change the host or note for the KDC and click Update.
  3. Click the or icons to move a KDC up or down in the list. The order of the KDCs dictates which KDC is tested first and should be ordered accordingly. If the first KDC does not work, the second in the list is tested, and so on.

Add a Kerberos key tab file

  1. Beside the Kerberos Key Tab File section, click Click here to change these settings.
  2. Enter, or browse to, the location of the Kerberos key tab file to import into the Web Gateway, and click Save.
  Key tab files can vary, depending on the version you are using. For more information on key tab files, refer to your Windows KDC documentation.

Delete authentication

  1. In the Kerberos Distribution Centers section, select the KDC that you want to delete and click Delete.

    The Confirm Delete dialog appears.

  2. Click Yes to delete the KDC. It will be immediately removed from the KDC list.

Test authentication

  1. On the Authentication Settings page, click Test Authentication. The Test Authentication dialog appears.
  2. Enter a valid user name and password combination, and click Run Test.

The test is run on the KDCs in priority order, based on the ordering of the list. If the first KDC does not work, the second in the list is tested, and so on.

 

 Although Kerberos authentication supports user names or passwords that contain non-ASCII characters, the test mechanism does not. You cannot test authentication of user names or passwords containing extended characters.

Enable Apache Access logging

If you want to run diagnostics on your KDCs, you can enable Apache Access logging for more information. To do this:

  1. Beside the Apache Access Log is Disabled/Enabled section, click Click here to change these settings.
  2. To enable or disable the generation of Apache Access logs, select or deselect the Enable Apache access logging check box.