Network Setup: Kerberos KDC
Overview
For this example:
- The BeyondTrust Appliance B Series may or may not be located behind a corporate firewall.
- Representatives may or may not be on the same network as the BeyondTrust Appliance B Series.
- Representatives belong as members to a Kerberos realm.
- Representatives can communicate with their KDC (typically over port 88 UDP).
Configuration
- On the Kerberos KDC, register an SPN for your B Series Appliance hostname and then export the keytab for this SPN from your KDC.
- Log into your B Series Appliance's /login interface.
- Go to Users & Security > Kerberos Keytab.
- Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.
- Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.
- Create a unique name to help identify this provider.
- Be sure to check the Enabled box.
- Choose if you want to synchronize display names.
- Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.
- For User Handling Mode, select Allow all users.
- For SPN Handling Mode, leave the box unchecked in order to allow all SPNs.
- You may also select a default group policy for users who authenticate against this Kerberos server.
- Click Save to save this security provider configuration.