How To Configure Kerberos Authentication

How To Configure Kerberos Authentication

Introduction

Traditionally, a user has always been required to enter their username and password in order to log in to RapidIdentity. Customers may deem this process redundant when a user has already logged into their domain-joined Windows workstation.

Kerberos Authentication is supported in RapidIdentity 3.5 for On-Premise and 2022.4.5 for Cloud - verify that you are running a version that supports Kerberos Authentication. This process eliminates the username and password requirement when a user is logging in from a domain-joined Windows workstation.

Prerequisites

Prior to attempting to configure Kerberos Authentication, you should complete the following tasks:

1. Ensure that you are licensed for Kerberos Authentication. 
2. When using RapidIdentity Cloud, install an Identity Bridge, configuring TCP port 88 at a minimum. (This is the Kerberos v5 port; Kerberos v4 is not recommended.)

Active Directory Configuration

1. Create a user in Active Directory to handle Kerberos Authentication. The only requirements for this Service Account User are:
   1. Select the option to prevent the user from changing their password
   2. Select the option to indicate that the user’s password never expires
   3. Select the option to not require Kerberos pre-authentication
2. In Powershell, execute the following command:
   1. setspn -a HTTP/{RapidIdentityURL} {KerberosUsername}
      1. RapidIdentityURL: The FQDN of your RapidIdentity server, for example, “idauto.us001-rapididentity.com”
      2. KerberosUsername: The username created in step 1 of this section.
   2. For RapidIdentity Cloud customers using a Vanity URL you will need to execute this command a second time with your Vanity URL
      1. setspn -a HTTP/{RapidIdentityVanityURL} {KerberosUsername}
         1. RapidIdentityURL: The VanityURL of your RapidIdentity server, for example, “vanity.idauto.us001-rapididentity.com”
         2. KerberosUsername: The username created in step 1 of this section.

Group Policy Configuration

Certain configuration changes need to be made on each Windows workstation to support Kerberos Authentication. Rather than manage these individually, a group policy can be configured to automate that process.

1. Add your RapidIdentity URL to the Internet Sites list
   1. User Configuration > Policies > Administrative Templates > Windows Components > Microsoft Edge > Internet Control Panel > Security Page > Site to Zone Assignments List
      1. Set this policy to Enabled
      2. Add an assignment for your RapidIdentity server to Intranet Sites, for example
         1. Value Name: https://my.example.com
         2. Value: 1
2. Configure a batch script (see template below) to configure Firefox and store it in \\test.local\NETLOGON\kerberos.bat
3. Set the Group Policy to run this batch script on user logon
   1. Computer Configuration > Policies > Windows Settings > Scripts > Startup

Note

On your Windows workstations, Internet Properties | Advanced should be configured to Enable Integrated Windows Authentication. This should be enabled by default but can be verified by opening Settings and finding the setting on the Advanced tab. You can load this dialog directly by typing in Internet Options into the Windows search bar.

Firefox Batch Script

@echo off
FOR /F "tokens=*" %%R IN ('dir /B /AD "%APPDATA%\Mozilla\Firefox\Profiles\*.default"') DO CALL:write_settings %%R
GOTO:EOF
:write_settings
>nul DIR "%APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js" /A /B
if ERRORLEVEL 1 GOTO:EOF
REM configure the prefs.js file if it hasn't already been configured
>nul find "my.example.com" %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js || (
echo user_pref^("network.negotiate-auth.trusted-uris", "https://my.example.com"^); >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
echo user_pref^("network.negotiate-auth.delegation-uris", "https://my.example.com"^); >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
echo user_pref^("network.automatic-ntlm-auth.trusted-uris", "https://my.example.com"^); >> %APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js
)
ATTRIB -A "%APPDATA%\Mozilla\Firefox\Profiles\%1\prefs.js"
GOTO:EOF

Appliance Configuration ( For RapidIdentity On-Premise Only)

1. The RapidIdentity Appliance must be able to resolve your domain through DNS. Ideally, your appliance will be configured to use your domain controllers for DNS. Alternatively, you can configure your host's file to point to your domain, however, your appliance will be limited to using only one domain controller for Kerberos Authentication
2. In RapidIdentity Appliance Configuration (idauto-apps), navigate to Core Configuration > Authentication > Kerberos Configuration and configure the following parameters with your values
   1. Domain: test.local
   2. KDC Address: test.local
   3. Service Principal: HTTP/my.example.com@test.local
   4. Service Principal Password: Configured earlier in step 1 of Active Directory Configuration
3. In RapidIdentity Appliance Configuration (idauto-apps), navigate to Core Configuration > Authentication and create an authentication policy for Kerberos Authentication
   1. Criteria > Kerberos > Enabled: Checked
   2. Authentication Methods > Kerberos > Required: Checked
   3. Note: Additional authentication methods can be enabled (such as TOTP) to provide additional authentication.

Current Limitations

1. Cloud Hosted Active Directories: It is currently unsupported to attempt Kerberos Authentication against a Cloud Hosted Active Directory.
2. UPN Suffix: It is currently unsupported to attempt Kerberos Authentication using UPN Suffixes.
3. Trusts: It is currently unsupported to attempt Kerberos Authentication against a trusted domain.
4. Multiple Domains: It is currently unsupported to attempt Kerberos Authentication against multiple domains.