How to configure Kerberos Authentication on a Clearswift Secure Web Gateway for different Windows environments

To enable kerberos user authentication on a Clearswift Secure Web Gateway for different Windows environments, you have to complete the following steps:

1. Create a service-user account in Active Directory

User logon name: HTTP/FQDN_OF_APPLIANCE

User logon name (pre-Windows 2000): for example svc_123

Check “User cannot change password

– Check “Password never expires

Only for Windows Server 2008 / Windows 7 environments:

– Check “This account supports Kerberos AES 256 bit encryption

– CheckAccount expires never

2. Create a Keytab-File

– Open a DOS command prompt on Windows domaincontroller and enter the following command for a Windows Server 2008 / Windows 7 environment:

“ktpass –princ HTTP/HOSTNAME_OF_APPLIANCE@DOMAIN –mapuser svc_123@DOMAIN –crypto AES256-SHA1 –ptype KRB5_NT_Principal –pass COMPLEX_PASSWORD –out C:/keytabfile.key”

Use this command for a Windows Server 2008 / 2003 – Windows 7 / Windows XP mixed environment:

“ktpass –princ HTTP/HOSTNAME_OF_APPLIANCE@DOMAIN –mapuser svc_123@DOMAIN –crypto RC4-HMAC-NT –ptype KRB5_NT_Principal –pass COMPLEX_PASSWORD –out C:/keytabfile.key”

Make sure that the DOMAIN is written in capital letters!

3. Upload Keytab-File and configure CSWG

           CSWG: System – Proxy Settings – Authentication Settings

– User Authentication is Enabled

– Your users will be asked for authentication details.

– The Web Proxy will respond to Kerberos protocol only.

– The Web Proxy will reject responses made using other protocols.

– Kerberos Distribution Center

– The Kerberos Distribution Center is located at “FQDN_OF_DOMAINCONTROLLER”

– Kerberos Key Tab File

– Upload the Keytab-File

– Apache Access Log is Enabled

– Apache access logs are being generated by the Web Gateway.

4. Test authentication

– Enter “Domain User Name

– Enter “User Password

Run Test

You should get now a “successfully authenticated” message.

Schreibe einen Kommentar