Network Setup: Kerberos KDC in Multiple Realms

Overview

For this example:

  • The BeyondTrust Appliance B Series may or may not be located behind a corporate firewall.
  • Representatives may or may not be on the same network as the BeyondTrust Appliance B Series.
  • Representatives may belong as members of multiple Kerberos realms existing in the corporate infrastructure (traditionally, a multi-domain hierarchy in Windows).
  • If a DMZ realm exists, the representatives' realms may have inbound trusts with that DMZ realm, allowing principals in the trusted realms to obtain tickets for services in the DMZ realm.

Diagram of Network Setup Example 4: Kerberos KDC, Multiple Realms

 

Configuration

  1. Register one or more of the SPNs according to the following rules:
    • If a DMZ Kerberos realm is involved, register a unique SPN within the DMZ realm.
    • If no DMZ Kerberos realm is involved and no trust exists between the two realms, register a unique SPN in each realm.
    • If no DMZ Kerberos realm is involved and trust exists between the two realms, register a unique SPN in a realm of your choosing.
  2. Export all registered SPNs.
  1. Log into your B Series Appliance's /login interface.

Kerberos Keytab

  1. Go to Users & Security > Kerberos Keytab.
  2. Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.
  1. Repeat the previous step for each exported keytab.

 

Add Security Provider

  1. Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.

 

  1. Create a unique name to help identify this provider.
  2. Be sure to check the Enabled box.
  3. Choose if you want to synchronize display names.
  4. Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.
  1. If using a DMZ realm or using the same SPN for multiple realms, you will want to match on user principle name to identify users from the first realm.
  2. If you registered multiple SPNs, choose the SPN that users from the first realm will use.
  3. You may also select a default group policy for users who authenticate against this Kerberos server.
  4. Click Save to save this security provider configuration.
  5. Repeat steps 7 through 15 for each realm from which users will authenticate, substituting the UPN or SPN rule for each realm as appropriate.