Configuring DataNow Kerberos SSO

Version 1

    Verified Product Versions

    AppSense DataNow 3.6AppSense DataNow 4.0

    Introduction

    It is possible to configure DataNow Windows client to log in silently at Windows login using Kerberos authentication (Required when using smart-card logins, or when NTLM authentication is not available)

    NOTE: This requires some prerequisite steps to configure the appliance and environment to support Kerberos authentication which are detailed below.

    • The clock on the Endpoint / Domain Controller / DataNow Appliance / File server(s) must be within 5 minutes tolerance of each other (By default)
    • The endpoint must be able to authenticate against the Domain controller at Windows logon - this means that remote users must establish a VPN tunnel Pre-Windows logon
    • The file server(s) must have a reverse (PTR) DNS record to match the associated A record
    • DataNow Client and Server versions are at least 3.6 update 2

    Detail

     In order to utilise Kerberos authentication against the DataNow appliance, the Active Directory needs to be configured with a user that allows:

    •      The Kerberos Keytab to be acquired from a user account so that the server can trust the authorised user to access it.
    •      Perform pre-authentication checks.
    •      The Kerberos Ticket Granting services, which are part of Active Directory, to determine the ‘service principal’ used to access the DataNow appliance and obtain a ticket that can be used to establish and authorised connection to the DataNow appliance.
    •      To allow the re-use of service tickets sent to the platform so that the service can access data upon the user’s behalf (Kerberos Constrained Delegation).

    1. Create a pre-authentication account in Active Directory for the DataNow Appliance (e.g. acme\dnkcduser)

      TIP: This account does not need to have elevated/administrative privileges. We recommend configuring the account so that the password cannot be changed and the password never expires. (This is a safeguard against needing to reconfigure the platform to use new credentials so this step is not strictly necessary but it is advised.)

    2. Create an DNS record for the DataNow appliance e.g. rpdn.acme.net. Access via IP address will not work with Kerberos authentication.  
    3. From the a command prompt on an Active Directory server associate the pre-auth user account with the DataNow Service Principle Name (SPN) using the setspn command:

      setspn -A http/<fqdn> <domain\user>


      Example:

      setspn -A http/rpdn.acme.net acme\dnkcduser
    4. Using the Active Directory Users and Computers utility find the pre-auth account and select properties, and select the Delegation tab.  Select the Trust this user for delegation to any service option and select Ok. (The Delegation tab is not available until the SPN in the previous step has been added)



      NOTE: This ensures that the DataNow appliance has authorisation to utilise the Kerberos ticket forwarded to it by the DataNow client or web browser so that it can reuse the user identity to access file service resources.

       

    5. Log on to the DataNow Web Admin Console
    6. In DataNow v4.0 and above, navigate to the Kerberos tab under 'configuration'
    7. In DataNow 3.6 Update 2, navigate to the DataNow Kerberos authentication configuration page by entering the following url into the browser
      https://<dn_host_name>:8443/config/kerberos
    8. The following page should now be displayed.

      DataNow 3.6 Update 2:


      DataNow 4.0

       





    9. Enter the configuration details:
      1. Pre-auth user and password (created in step 1)
      2. The realm name - usually the DNS name of the domain in upper case e.g.
        ACME.NET
      3. KDC - the FQDN of the Domain Key Distribution Centre (usually the same DNS name as the AD controller) 

        Note if you are unsure of the KDC name try using 

        nslookup _kerberos._tcp.<domainFQDN>


        from a domain joined client to get the IP of the KDC, followed by

        ping -a <ip address>


        to get the canonical name of the KDC.
         
      4. Default domain - the domain in lower case e.g.
        acme.net

        NOTE: In DataNow 4.0 the Default domain is populated automatically based on the realm name. If this is different, it can be edited afterwards.

         

    10. Choose a Kerberos maximum token size (a user's current token size can be found using Microsoft's TokenSZ tool (https://www.microsoft.com/en-gb/download/details.aspx?id=1448) When choosing a size for this value, consider allowing double this value to account for encoding overhead. Avoid choosing an arbitrarily large value, as this causes this portion of the header to be reserved in memory so is less efficient than a smaller size.
    11. To configure a domain-joined (and connected) Windows endpoint to use Kerberos SSO, use Environment Manager or Group Policy (With DataNow ADMX) to configure either:
    Registry Key: HKLM\Software\AppSense\DataNow
    Value Name: EnableSSO
    Value Type: Reg DWORD
    Value Data: 2

    Or:

    Registry Key: HKLM\Software\Policies\AppSense\DataNow
    Value Name: EnableSSO
    Value Type: Reg DWORD
    Value Data: 2