Kerberos KDC authentication

Using this method of authentication, users are automatically authenticated against a Kerberos Key Distribution Center (KDC), and do not need to enter authentication details when connecting their browser to the Web Gateway.

Configure authentication

  1. From the System Center Home page, click Proxy Settings > Authentication Settings.
  2. Beside the User Authentication is Disabled/Enabled section, click Click here to change these settings.

  3. Select Kerberos Authentication using Kerberos Distribution Center and click Save.

    The Kerberos Distribution Centers and Kerberos Key Tab File sections will appear once you've saved the authentication type.

  4. Beside the Kerberos Distribution Centers section, click Click here to change these settings.
  5. Click New to add a KDC. The New Kerberos Distribution Center dialog appears.

  6. Enter the fully qualified domain name of the distribution center that will validate a user's authentication details. You can also add a comment about this KDC. Click Add.

    The new KDC is added to the list.

    You can edit any of the KDCs in the list at any time using the steps in Edit authentication.

 

 If you are using Kerberos authentication, Network Time Protocol (NTP) must be enabled. Configure this setting on the System Time Settings page.

After you have applied your configuration, you can verify that users are being correctly authenticated.

Edit authentication

  1. In the Kerberos Distribution Centers section, select the KDC that you want to change and click Edit. Only one KDC can be edited at a time.

    The Edit KDC dialog appears.

  2. Change the host or note for the KDC and click Update.
  3. Click the or icons to move a KDC up or down in the list. The order of the KDCs dictates which KDC is tested first and should be ordered accordingly. If the first KDC does not work, the second in the list is tested, and so on.

Add a Kerberos key tab file

  1. Beside the Kerberos Key Tab File section, click Click here to change these settings.
  2. Enter, or browse to, the location of the Kerberos key tab file to import into the Web Gateway, and click Save.
  Key tab files can vary, depending on the version you are using. For more information on key tab files, refer to your Windows KDC documentation.

Delete authentication

  1. In the Kerberos Distribution Centers section, select the KDC that you want to delete and click Delete.

    The Confirm Delete dialog appears.

  2. Click Yes to delete the KDC. It will be immediately removed from the KDC list.

Test authentication

  1. On the Authentication Settings page, click Test Authentication. The Test Authentication dialog appears.
  2. Enter a valid user name and password combination, and click Run Test.

The test is run on the KDCs in priority order, based on the ordering of the list. If the first KDC does not work, the second in the list is tested, and so on.

 

Although Kerberos authentication supports user names or passwords that contain non-ASCII characters, the test mechanism does not. You cannot test authentication of user names or passwords containing extended characters.

Enable Apache Access logging

If you want to run diagnostics on your KDCs, you can enable Apache Access logging for more information. To do this:

  1. Beside the Apache Access Log is Disabled/Enabled section, click Click here to change these settings.
  2. To enable or disable the generation of Apache Access logs, select or deselect the Enable Apache access logging check box.