Security Provider Integration Kerberos Authentication

Similar documents
Security Provider Integration Kerberos Server

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Security Provider Integration RADIUS Server

Security Provider Integration LDAP Server

Salesforce Integration

Privileged Access Management Upgrade Guide

Virtual Appliance Setup Guide

The Bomgar Appliance in the Network

Configuring Sponsor Authentication

Configuring Failover

1 Introduction. Windows Server & Client and Active Directory.

Administrative Guide 14.1

Blue Coat Security First Steps Solution for Integrating Authentication

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Virtual Managment Appliance Setup Guide

VMware Identity Manager Administration

Active Directory 2008 Implementation. Version 6.410

Administrative Guide 14.2

Integration Client Guide

Virtual Web Appliance Setup Guide

Remote Support Jump Client Guide: Unattended Access to Systems in Any Network 3. Deploy Jump Clients During a Support Session or Prior to Support 4

SSL Certificates and Bomgar

Device Log Export ENGLISH

Appliance Administration Guide Base 4.2.x

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Defender Token Deployment System Quick Start Guide

Dynamic DNS How-To Guide

Single Sign-on (SSO) technologies for the Domino Web Server

VMware Identity Manager Connector Installation and Configuration

PineApp Surf-SeCure Quick

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Administrative Guide Enterprise Licensing

Bomgar Cloud Support Admin 15.1

IIS, FTP Server and Windows

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

v7.8.2 Release Notes for Websense Content Gateway

Remote Support Jumpoint Guide: Unattended Access to Computers in a Network 3. Requirements and Considerations to Install a Jumpoint 4.

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

qliqdirect Active Directory Guide

How to configure WFS (Windows File Sharing ) Acceleration on SonicWALL WAN Acceleration Appliances

BMC Remedy Integration Guide

Smart Card Authentication Client. Administrator's Guide

Remote Support Jump Client Guide: Unattended Access to Systems in Any Network 3. Deploy Jump Clients During a Support Session or Prior to Support 4

HPSM Integration Guide

Dell Compellent Storage Center

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Setting Up Resources in VMware Identity Manager

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Active Directory 2008 Implementation Guide Version 6.3

NovaBACKUP xsp Version 15.0 Upgrade Guide

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

CA Nimsoft Service Desk

WEBTITAN CLOUD. User Identification Guide BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES

Dell KACE Integration Guide

Enabling single sign-on for Cognos 8/10 with Active Directory

Installing and Configuring vcloud Connector

BlackBerry Enterprise Service 10. Version: Configuration Guide

Virtual Appliance Setup Guide

Important Information

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

NETASQ ACTIVE DIRECTORY INTEGRATION

Juniper Networks Secure Access Kerberos Constrained Delegation

How To - Implement Single Sign On Authentication with Active Directory

What is the Barracuda SSL VPN Server Agent?

VMware vcenter Log Insight Getting Started Guide

Cisco Expressway Basic Configuration

Installing and Configuring vcenter Support Assistant

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

PingFederate. IWA Integration Kit. User Guide. Version 2.6

SuperLumin Nemesis. Administration Guide. February 2011

How to Customize Support Portals

Blue Coat ProxySG Authentication Guide. SGOS 6.5.x

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Representative Guide 14.2

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

MultiSite Manager. Setup Guide

Advanced Configuration Administration Guide

F-Secure Messaging Security Gateway. Deployment Guide

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Get Success in Passing Your Certification Exam at first attempt!

OneLogin Integration User Guide

VMware Virtual Desktop Manager User Authentication Guide

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

ACE Management Server Deployment Guide VMware ACE 2.0

V Series Rapid Deployment Version 7.5

DIGIPASS Authentication for Check Point Security Gateways

Integrating EJBCA and OpenSSO

SOA Software API Gateway Appliance 7.1.x Administration Guide

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Configuring IBM Cognos Controller 8 to use Single Sign- On

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Transcription:

Security Provider Integration Kerberos Authentication 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC:4/19/2015

Table of Contents Configure the Bomgar Appliance for Kerberos Authentication 3 Prerequisites 3 Kerberos Security Provider Settings 3 SPN Use in Bomgar Software 4 Network Setup Examples 5 Network Setup Example 1: Kerberos KDC 5 Network Setup Example 2: Kerberos KDC and LDAP Server, Same Network 7 Network Setup Example 3: Kerberos KDC and LDAP Server, Separate Networks 9 Network Setup Example 4: Kerberos KDC, Multiple Realms 11 CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 2

Configure the Bomgar Appliance for Kerberos Authentication Bomgar supports single sign-on functionality using the Kerberos authentication protocol, enabling users to authenticate to their Bomgar user accounts without having to enter credentials. This document details methods for integrating the Bomgar Appliance in some typical Kerberos/networking configurations. This document is intended to be used by trained individuals with a working knowledge of Kerberos. It is assumed that you either have an existing implementation of Kerberos deployed or are in the process of deploying a Kerberos implementation. As there are many possible Kerberos configuration implementations, this document serves only as a guide for standard implementations. Prerequisites Prior to integrating the Bomgar Appliance with your Kerberos configuration, ensure that the following requirements are met. Your Bomgar Appliance must have Enterprise licensing (if running Bomgar software prior to 14.2). You must have a working Kerberos Key Distribution Center (KDC). Clocks must be synchronized across all clients, the KDC, and the Bomgar Appliance. Using a Network Time Protocol (NTP) is the recommended method of synchronization. You must have a service principal created on the KDC for your Bomgar Appliance. Kerberos Security Provider Settings The most appropriate configuration for your Kerberos security provider depends on your overall authentication and network infrastructure, as well as where your Bomgar Appliance is located in your network. The examples in the following section demonstrate typical setups, while the chart below explains each of the Kerberos security provider options. Keep display name synchronized with remote system If selected, a Kerberos-authenticated user's display name will be that of his or her User Principal Name. If deselected, display names can be edited locally on the Bomgar Appliance. User Handling Mode SPN Handling Mode Allow all users Allow only user principals specified in the list Allow only user principals that match the regex Allow all SPNs Allow only SPNs specified in the list Allows anyone who currently authenticates via your KDC to log into your Bomgar Appliance. Allows only specified user principals to log into your Bomgar Appliance. Allows only user principals who match a Perl-compatible regular expression (PCRE) to log into your Bomgar Appliance. Allow all configured Service Principal Names (SPNs) for this security provider. Allow only specific SPNs selected from a list of currently configured SPNs. Default Policy Select a group policy as the default for users authenticating against this Kerberos security provider. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 3

SPN Use in Bomgar Software Browsers may use different methods to canonicalize the hostname for a site, including performing a reverse lookup of the IP of the hostname specified in the URL. The SPN canonicalization of this address may cause the browser to request an SPN based on an internal hostname rather than the appliance hostname. For example, a Bomgar site built as hostname support.example.com may ultimately resolve to the hostname internal.example.com. support.example.com 10.0.0.1 1.0.0.10.in-addr.arpa internal.example.com The Bomgar software expects the SPN in the form of HTTP/ followed by the hostname configured in the Bomgar software during purchases or upgrade (HTTP/support.example.com). If the browser canonicalizes the hostname to an internal hostname and uses that hostname for the SPN (HTTP/internal.example.com), authentication will fail unless you have registered SPNs for both HTTP/internal.example.com and HTTP/support.example.com and installed them on your Bomgar Appliance. If SPNs for multiple hostnames are imported, the Bomgar software will use the site hostname to which it was previously able to connect as a client. Therefore, if you are experiencing Kerberos authentication issues, it is advised to import a keytab for each hostname to which the site might canonicalize. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 4

Network Setup Examples Network Setup Example 1: Kerberos KDC For this example: The Bomgar Appliance may or may not be located behind a corporate firewall. Representatives may or may not be on the same network as the Bomgar Appliance. Representatives belong as members to a Kerberos realm. Representatives can communicate with their KDC (typically over port 88 UDP). Configuration 1. On the Kerberos KDC, register an SPN for your Bomgar Appliance hostname and then export the keytab for this SPN from your KDC. 2. Log into your Bomgar Appliance's /login interface. 3. Go to Users & Security > Kerberos Keytab. 4. Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 5

5. Go to Users & Security > Security Providers. From the dropdown, select Kerberos. Then click Create Provider. 6. Create a unique name to help identify this object. 7. Be sure to check the Enabled box. 8. Choose if you want to synchronize display names. 9. Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username. 10. For User Handling Mode, select Allow all users. 11. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs. 12. You may also select a default group policy for users who authenticate against this Kerberos server. 13. Click Save Changes to save this security provider configuration. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 6

Network Setup Example 2: Kerberos KDC and LDAP Server, Same Network For this example: The Bomgar Appliance may or may not be located behind a corporate firewall. Representatives may or may not be on the same network as the Bomgar Appliance. Representatives belong as members to a Kerberos realm. Representatives can communicate with their KDC (typically over port 88 UDP). An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong. The Bomgar Appliance can directly communicate with the LDAP server. Configuration 1. On the Kerberos KDC, register an SPN for your Bomgar Appliance hostname and then export the keytab for this SPN from your KDC. 2. Log into your Bomgar Appliance's /login interface. 3. Go to Users & Security > Security Providers. From the dropdown, select LDAP. Then click Create Provider. 4. Create a unique name to help identify this object. 5. Be sure to check the Enabled box. 6. Choose if you want to synchronize display names. 7. For Lookup Groups, select either Only perform group lookups or Allow user authentication and perform group lookups. 8. Continue to configure the settings for this LDAP server. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 7

9. For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store. 10. Click Save Changes to save this security provider configuration. 11. Go to Users & Security > Kerberos Keytab. 12. Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals. 13. Go to Users & Security > Security Providers. From the dropdown, select Kerberos. Then click Create Provider. 14. Create a unique name to help identify this object. 15. Be sure to check the Enabled box. 16. Choose if you want to synchronize display names. 17. Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username. 18. For User Handling Mode, select Allow all users. 19. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs. 20. In LDAP Group Lookup, select the server configured in this process and add it to the Group Providers In Use list. 21. You may also select a default group policy for users who authenticate against this Kerberos server. 22. Click Save Changes to save this security provider configuration. For more information about configuring an LDAP group security provider, see the LDAP configuration guide provided at www.bomgar.com/docs. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 8

Network Setup Example 3: Kerberos KDC and LDAP Server, Separate Networks For this example: The Bomgar Appliance may or may not be located behind a corporate firewall. Representatives may or may not be on the same network as the Bomgar Appliance. Representatives belong as members to a Kerberos realm. Representatives can communicate with their KDC (typically over port 88 UDP). An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong. The Bomgar Appliance cannot directly communicate with the LDAP server. Configuration 1. On the Kerberos KDC, register an SPN for your Bomgar Appliance hostname and then export the keytab for this SPN from your KDC. 2. Log into your Bomgar Appliance's /login interface. 3. Go to Users & Security > Security Providers. From the dropdown, select LDAP. Then click Create Provider. 4. Create a unique name to help identify this object. 5. Be sure to check the Enabled box. 6. Choose if you want to synchronize display names. 7. For Lookup Groups, select either Only perform group lookups or Allow user authentication and perform group lookups. 8. Continue to configure the settings for this LDAP server. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 9

9. Because the LDAP server does not have direct communication with the Bomgar Appliance, check the option Proxy from appliance through the Connection Agent. 10. Create a password for the connection agent. 11. Click Download Connection Agent to install the agent on a system behind your firewall. When installing the connection agent, provide the name and password you created for this LDAP server. 12. For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store. 13. Click Save Changes to save this security provider configuration. 14. Go to Users & Security > Kerberos Keytab. 15. Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals. 16. Go to Users & Security > Security Providers. From the dropdown, select Kerberos. Then click Create Provider. 17. Create a unique name to help identify this object. 18. Be sure to check the Enabled box. 19. Choose if you want to synchronize display names. 20. Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username. 21. For User Handling Mode, select Allow all users. 22. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs. 23. In LDAP Group Lookup, select the server configured in this process and add it to the Group Providers In Use list. 24. You may also select a default group policy for users who authenticate against this Kerberos server. 25. Click Save Changes to save this security provider configuration. For more information about configuring an LDAP group security provider, see the LDAP configuration guide provided at www.bomgar.com/docs. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 10

Network Setup Example 4: Kerberos KDC, Multiple Realms For this example: The Bomgar Appliance may or may not be located behind a corporate firewall. Representatives may or may not be on the same network as the Bomgar Appliance. Representatives may belong as members of multiple Kerberos realms existing in the corporate infrastructure (traditionally, a multi-domain hierarchy in Windows). If a DMZ realm exists, the representatives' realms may have inbound trusts with that DMZ realm, allowing principals in the trusted realms to obtain tickets for services in the DMZ realm. Configuration 1. Register one or more of the SPNs according to the following rules: If a DMZ Kerberos realm is involved, register a unique SPN within the DMZ realm. If no DMZ Kerberos realm is involved and no trust exists between the two realms, register a unique SPN in each realm. If no DMZ Kerberos realm is involved and trust exists between the two realms, register a unique SPN in a realm of your choosing. 2. Export all registered SPNs. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 11

3. Log into your Bomgar Appliance's /login interface. 4. Go to Users & Security > Kerberos Keytab. 5. Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals. 6. Repeat the previous step for each exported keytab. 7. Go to Users & Security > Security Providers. From the dropdown, select Kerberos. Then click Create Provider. 8. Create a unique name to help identify this object. 9. Be sure to check the Enabled box. 10. Choose if you want to synchronize display names. 11. Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username. 12. If using a DMZ realm or using the same SPN for multiple realms, you will want to match on user principle name to identify users from the first realm. 13. If you registered multiple SPNs, choose the SPN that users from the first realm will use. 14. You may also select a default group policy for users who authenticate against this Kerberos server. 15. Click Save Changes to save this security provider configuration. 16. Repeat steps 7 through 15 for each realm from which users will authenticate, substituting the UPN or SPN rule for each realm as appropriate. CONTACT BOMGAR info@bomgar.com 866.205.3650 (US) +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information