Network Setup:  Kerberos KDC and LDAP Server on Separate Networks

Overview

For this example:

  • The BeyondTrust Appliance B Series may or may not be located behind a corporate firewall.
  • Representatives may or may not be on the same network as the BeyondTrust Appliance B Series.
  • Representatives belong as members to a Kerberos realm.
  • Representatives can communicate with their KDC (typically over port 88 UDP).
  • An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong.
  • The BeyondTrust Appliance B Series cannot directly communicate with the LDAP server.

Diagram of Network Setup Example 3: Kerberos KDC and LDAP Server, Separate Networks

 

Configuration

  1. On the Kerberos KDC, register an SPN for your B Series Appliance hostname and then export the keytab for this SPN from your KDC.
  1. Log into your B Series Appliance's /login interface.

Add Security Provider

  1. Go to Users & Security > Security Providers. Click Add. From the dropdown, select LDAP.

 

  1. Create a unique name to help identify this provider.
  2. Be sure to check the Enabled box.
  3. Choose if you want to synchronize display names.
  4. For Lookup Groups, select either Only perform group lookups or Allow user authentication and perform group lookups.
  5. Continue to configure the settings for this LDAP server.
  1. Because the LDAP server does not have direct communication with the BeyondTrust Appliance B Series, check the option Proxy from appliance through the Connection Agent.
  2. Create a password for the connection agent.
  3. Click Download Connection Agent to install the agent on a system behind your firewall. When installing the connection agent, provide the name and password you created for this LDAP server.
  1. For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store.
  2. Click Save to save this security provider configuration.

Kerberos Keytab

  1. Go to Users & Security > Kerberos Keytab.
  2. Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.

 

Add Security Provider

  1. Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.

 

  1. Create a unique name to help identify this provider.
  2. Be sure to check the Enabled box.
  3. Choose if you want to synchronize display names.
  4. Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.
  1. For User Handling Mode, select Allow all users.
  2. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs.
  1. In LDAP Group Lookup, select the server configured in this process and add it to the Group Providers In Use list.
  2. You may also select a default group policy for users who authenticate against this Kerberos server.
  3. Click Save to save this security provider configuration.

For more information about configuring an LDAP group security provider, please see LDAP Server for User Authentication and Group Lookup.