Microdyn Superuser1

How to prepare and setup KERBEROS / SSO with BOMGAR PAM or RS

Step1: Read the following BOMGAR Article. It will prepare you well regarding the prerequisites to configure KERBEROS Security Provider with BOMGAR.
Step 2 - 4 are not described in the manufacturer article. We close here the GAP to give you an easy way creating a secure .keytab file. 

Step2: Create a new Active Directory User Account with Support for AES 256 Bit Encryption for later mapping with the Kerberos Service Principal name
Example User Account Name: BG_Kerberos_SPN
1. Open "Active Directory Users and Computers" then create a User Account [BG_Kerberos_SPN].
2. Click the Tab "Account" and set the account options for this account to "This Account supports Kerberos AES 256 Bit Encryption".

Step3: On your Windows DC use "SETSPN -S" to add the SPN for your BOMGAR System to Kerberos.
Please refere also the following MS Article regarding SETSPN.
Examples for this command:
1. setspn -S http/[supportsiteFQDN] [ADUserAccount] 
2. setspn -S http/appliancenodename.mydomain.com BG_Kerberos_SPN      (replace orange text with your params.)

Step4: Use "KTPASS" on your Windows DC to configure the Service Principle Name for the Host and generate the .Keytab File
Please refere also the following MS Article regarding KTPASS.
Examples for this command:
1. ktpass /princ HTTP/[supportsiteFQDN]@[ADDOMAINNAME] /mapuser [ADUserAccount] /pass [ADUserPassword] /out [KeyTabFileName].keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /mapop add
. ktpass /princ HTTP/appliancenodename.mydomain.com@MYADDOMAINNAME.LOCAL /mapuser BG_Kerberos_SPN /pass mapuserPassword /out c:\temp\keytabfile1.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /mapop add
The /crypto AES256-SHA1 and /mapop add Params are important to force SSO to work with a strong and current Cypher Suite from TLS 1.2 and not just with old ones like DES.

Step5: Import the KERBEROS Keytab File in BOMGAR.
Log on to the BOMGAR appliance under / login as "admin".
Open the Tab "Users and Security", then "Kerberos Keytab".

Select your c:\temp\keytabfile1.keytab and upload it to the appliance. 

Step6Create a new LDAP Group Security Provider.
Log on to the BOMGAR appliance under / login as "admin".
Open Tab "Users and Security" then "Security Providers".
Please refere also here regarding adding a new LDAP Group Lookup Security Provider in BOMGAR.
Create a new LDAP Group Security Provider in BOMGAR.
Make sure that "user authentication" is set to "disabled".
Make sure that "Lookup Groups using this provider" is set to "enabled".
Test the security provider now with an LDAP User. It must work, before you proceed to the next step. 

Step7Create a new KERBEROS Security Provider.
Log on to the BOMGAR appliance under / login as "admin".
Open Tab "Users and Security" then "Security Providers".
Create a new KERBEROS Security Provider.
Make sure that the previously created LDAP Group Security Provider is selected in your new Kerberos Security Provider. 

Step8: Add your Active Directory LDAP Groups to BOMGAR Group Policies.
Log on to the BOMGAR appliance under / login as "admin".
Open Tab "Users and Security" then "Group Policies" .
Add all neccesary LDAP Groups you created to define BOMGAR Teams or Rights to your corresponding BOMGAR Group Policies.

Step9: Try now KERBEROS login from BOMGAR Access or Rep Console.
Start BOMGAR Access or Rep Console and select Authenticate Using: "Current Kerberos Credentials"
SSO Login should should now work without typing in any username or password.

Step10: Troubleshooting:
-If KERBEROS SSO login does not work - check BOMGAR - Kerberos Security Provider Logs. 
-Check the following Technet Blog Aticle (all you need to know about Keytab files). A great troubleshooting guide - especially if it comes to "Key Version Number" based problems.
-Check also on the Client-PC where you want to use the BOMGAR Access or Rep-Console with SSO if the "KLIST" command list's the Kerberos Ticket for your BOMGAR Appliance FQDN. Such a client PC should normally be a member of the AD-Domain where the KERBEROS Ticket comes from and not just some standalone "external PC".
-To test if your client can authenticate direct with the SPN you can use for example from this 3rd party site the " Kerberos Authentication Tester ".

Although i have thoroughly researched and tested the written with BOMGAR RS 16 and PAM 17 - MICRODYN DISCLAIMS ALL WARRANTIES!
Author: MICRODYN - R. Hahn / 13.9.2017   /   Last Update: 14.6.2018

Previous Article Use any Mobile Device to generate 2nd Factor for BOMGAR Console Login
Next Article How to debug problems with BOMGAR Components using a blog.ini file
1318 Rate this article:

Please login or register to post comments.


disclaymer of warranties

All articles available under Microdyn-Wiki are published without guarantee for functionality. The published articles are intended for use by MICRODYN Employees. Use or disclosure at your own risk and danger. All manufacturers trademarks or products whitch are referred to in the wiki  are owned by their respective manufacturers.