Network Setup: Kerberos KDC and LDAP Server on Separate Networks
Overview
For this example:
- The BeyondTrust Appliance B Series may or may not be located behind a corporate firewall.
- Representatives may or may not be on the same network as the BeyondTrust Appliance B Series.
- Representatives belong as members to a Kerberos realm.
- Representatives can communicate with their KDC (typically over port 88 UDP).
- An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong.
- The BeyondTrust Appliance B Series cannot directly communicate with the LDAP server.
Configuration
- On the Kerberos KDC, register an SPN for your B Series Appliance hostname and then export the keytab for this SPN from your KDC.
- Log into your B Series Appliance's /login interface.
- Go to Users & Security > Security Providers. Click Add. From the dropdown, select LDAP.
- Create a unique name to help identify this provider.
- Be sure to check the Enabled box.
- Choose if you want to synchronize display names.
- For Lookup Groups, select either Only perform group lookups or Allow user authentication and perform group lookups.
- Continue to configure the settings for this LDAP server.
- Because the LDAP server does not have direct communication with the BeyondTrust Appliance B Series, check the option Proxy from appliance through the Connection Agent.
- Create a password for the connection agent.
- Click Download Connection Agent to install the agent on a system behind your firewall. When installing the connection agent, provide the name and password you created for this LDAP server.
- For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store.
- Click Save to save this security provider configuration.
- Go to Users & Security > Kerberos Keytab.
- Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.
- Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.
- Create a unique name to help identify this provider.
- Be sure to check the Enabled box.
- Choose if you want to synchronize display names.
- Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.
- For User Handling Mode, select Allow all users.
- For SPN Handling Mode, leave the box unchecked in order to allow all SPNs.
- In LDAP Group Lookup, select the server configured in this process and add it to the Group Providers In Use list.
- You may also select a default group policy for users who authenticate against this Kerberos server.
- Click Save to save this security provider configuration.
For more information about configuring an LDAP group security provider, please see LDAP Server for User Authentication and Group Lookup.