RapidIdentity Product Guides - 2019 Rolling Release

How-To Configure Kerberos Authentication

Introduction

Traditionally, a user has always been required to enter their username and password in order to log in to RapidIdentity. Customers may deem this process redundant when a user has already logged into their domain-joined Windows workstation.

Kerberos Authentication is supported in RapidIdentity 3.5 and newer. This process eliminates the username and password requirement when a user is logging in from a domain-joined Windows workstation.

Prerequisites

Prior to attempting to configure Kerberos Authentication, you should complete the following tasks:

  1. Ensure that you are licensed for Kerberos Authentication

  2. Verify that you are running the latest version of RapidIdentity 3.5 or newer

Active Directory Configuration

  1. Create a user in Active Directory to handle Kerberos Authentication. The only requirements for this user account are:

    1. Select the option to prevent the user from changing their password

    2. Select the option to indicate that the user’s password never expires

    3. Select the option to not require kerberos pre-authentication

  2. In Powershell, execute the following command:

    1. setspn -a HTTP/{RapidIdentityURL} {KerberosUsername}

      1. RapidIdentityURL: The FQDN of your RapidIdentity server, for example “my.example.com

      2. KerberosUsername: The username created previously in step 1a

Group Policy Configuration

Certain configuration changes need to be made on each Windows workstation to support Kerberos Authentication. Rather than manage these individually, a group policy can be configured to automate that process.

  1. Add your RapidIdentity URL to the Internet Sites list

    1. User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignments List

      1. Set this policy to Enabled

      2. Add an assignment for your RapidIdentity server to Intranet Sites, for example

        1. Value Name:https://my.example.com

        2. Value: 1

  2. Configure a batch script (see template below) to configure Firefox and store it in \\test.local\NETLOGON\kerberos.bat

  3. Set the Group Policy to run this batch script on user logon

    1. Computer Configuration > Policies > Windows Settings > Scripts > Startup

Note

On your Windows workstations, Internet Explorer should be configured to “Enable Integrated Windows Authentication”. This should be enabled by default, but can be verified by opening Internet Explorer Settings and finding the setting on the Advanced tab.

Note

Google Chrome shares Internet Explorer configuration, so no additional configuration should be necessary to enable Google Chrome to use Kerberos Authentication.

Firefox Batch Script

@echo off
FOR /F "tokens=*" %%R IN ('dir /B /AD "%APPDATA%\Mozilla\Firefox\Profiles\*.default"') DO CALL:write_settings %%R
GOTO:EOF
:write_settings
>nul DIR "%APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js" /A /B
if ERRORLEVEL 1 GOTO:EOF
REM configure the prefs.js file if it hasn't already been configured
>nul find "my.example.com" %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js || (
echo user_pref^("network.negotiate-auth.trusted-uris", "https://my.example.com"^); >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
echo user_pref^("network.negotiate-auth.delegation-uris", "https://my.example.com"^); >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
echo user_pref^("network.automatic-ntlm-auth.trusted-uris", "https://my.example.com"^); >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
)
ATTRIB -A "%APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js"
GOTO:EOF

Appliance Configuration

  1. The RapidIdentity Appliance must be able to resolve your domain through DNS. Ideally, your appliance will be configured to use your domain controllers for DNS. Alternatively, you can configure your hosts file to point to your domain, however, your appliance will be limited to using only one domain controller for Kerberos Authentication

  2. In RapidIdentity Appliance Configuration (idauto-apps), navigate to Core Configuration > Authentication > Kerberos Configuration and configure the following parameters with your values

    1. Domain: test.local

    2. KDC Address: test.local

    3. Service Principal: HTTP/my.example.com@test.local

    4. Service Principal Password: Configured earlier in step 1 of Active Directory Configuration

  3. In RapidIdentity Appliance Configuration (idauto-apps), navigate to Core Configuration > Authentication and create an authentication policy for Kerberos Authentication

    1. Criteria > Kerberos > Enabled: Checked

    2. Authentication Methods > Kerberos > Required: Checked

    3. Note: Additional authentication methods can be enabled (such as TOTP) to provide additional authentication.

Current Limitations

  1. Cloud Hosted Active Directories: It is currently unsupported to attempt Kerberos Authentication against a Cloud Hosted Active Directory.

  2. UPN Suffix: It is currently unsupported to attempt Kerberos Authentication using UPN Suffixes.

  3. Trusts: It is currently unsupported to attempt Kerberos Authentication against a trusted domain.

  4. Multiple Domains: It is currently unsupported to attempt Kerberos Authentication against multiple domains.

In this section: