- How to prepare and setup KERBEROS / SSO with BeyondTrust** Privileged Remote Access** or Remote Support** ?
- Step1: Read the following BeyondTrust Article.It will prepare you well regarding the prerequisites to configure KERBEROS Security Provider with BeyondTrust.
- Step2: Create a new Active Directory User Account with Support for AES 256 Bit Encryption for later mapping with the Kerberos Service Principal name.
- Step3: On your Windows DC use «SETSPN -S» as Domain Admin and in elevated CMD to add the SPN for your BeyondTrust System to Kerberos.
- Step4: Use «KTPASS» on your Windows DC as Domain Admin and in elevated CMD to configure the Service Principle Name for the Host and generate the .Keytab File.
- Step5: Import the KERBEROS Keytab File in BeyondTrust B-Series Appliance.
- Step6: Create a new LDAP Group Security Provider.
- Step7: Create a new KERBEROS Security Provider.
- Step8: Add your Active Directory LDAP Groups to BeyondTrust Group Policies.
- Step9: Try now KERBEROS login from BeyondTrust PRA Access or RS Rep Console.
- Step10: Troubleshooting:
How to prepare and setup KERBEROS / SSO with BeyondTrust** Privileged Remote Access** or Remote Support** ? #
Step1: Read the following BeyondTrust Article.It will prepare you well regarding the prerequisites to configure KERBEROS Security Provider with BeyondTrust. #
As we do not update this wiki article every day we recommend doing a web search with the following keywords «BeyondTrust, kerberos, guide, pdf» to get the most current version of the discussed manufacturer article.
Steps 2 to 4 are not described in the manufacturer article. We close here the GAP to give you an easy way creating a secure .keytab file.
Step2: Create a new Active Directory User Account with Support for AES 256 Bit Encryption for later mapping with the Kerberos Service Principal name. #
Example User Account Name: BT_Kerberos_SPN
1. Open «Active Directory Users and Computers» then create a User Account [BT_Kerberos_SPN].
2. Click the Tab «Account» and set the account options for this account to «This Account supports Kerberos AES 256 Bit Encryption«.
Step3: On your Windows DC use «SETSPN -S» as Domain Admin and in elevated CMD to add the SPN for your BeyondTrust System to Kerberos. #
Please refere also the following MS Article regarding SETSPN.
1. setspn -S http/[supportsiteFQDN] [ADUserAccount]
Step4: Use «KTPASS» on your Windows DC as Domain Admin and in elevated CMD to configure the Service Principle Name for the Host and generate the .Keytab File. #
Please refer also the following MS Article regarding KTPASS.
The /crypto AES256-SHA1 and /mapop add Params are important to force SSO to work with a strong and current Cypher Suite from TLS 1.2 and not just with old ones like DES.
Step5: Import the KERBEROS Keytab File in BeyondTrust B-Series Appliance. #
Log on to the BeyondTrust B-Series appliance under /login with an admin user.
Click in the vertical menu to «Users and Security», then in the horizontal menu-options to «Kerberos Keytab».
Select your c:\temp\keytabfile1.keytab and upload it to the appliance.
Step6: Create a new LDAP Group Security Provider. #
Log on to the BeyondTrust appliance under / loginwith an admin user.Click in the vertical menu to «Users and Security» then in the horizontal menu-options to «Security Providers». Please refere also here regarding adding a new LDAP Group Lookup Security Provider in BeyondTrust RS or PRA. (Page 5). Create a new LDAP Group Security Provider in BeyondTrust. Make sure that «user authentication» is set to «disabled». Make sure that «Lookup Groups using this provider» is set to «enabled». Test the security provider now with an LDAP User. It must work, before you proceed to the next step.
Step7: Create a new KERBEROS Security Provider. #
Log on to the BeyondTrust appliance under / login as an admin user.
Click in the vertical menu to «Users and Security» then in the horizontal menu-options to «Security Providers».
Create a new KERBEROS Security Provider.
Make sure that the previously created LDAP Group Security Provider is selected in your new Kerberos Security Provider.
Step8: Add your Active Directory LDAP Groups to BeyondTrust Group Policies. #
Log on to the BeyondTrust appliance under / login as an admin user.
Click in the vertical menu to «Users and Security» then «Group Policies» .
Add all necesary LDAP Groups you created to define BeyondTrust Teams or Rights to your corresponding BeyondTrust Group Policies.
Step9: Try now KERBEROS login from BeyondTrust PRA Access or RS Rep Console. #
Start BeyondTrust Access or Rep Console and select Authenticate Using: «Current Kerberos Credentials«
SSO Login should now work without typing in any username or password if your client is in a zone where it can obtain a Kerberos ticket..
Step10: Troubleshooting: #
-If KERBEROS SSO login does not work – check BeyondTrust – Kerberos Security Provider Logs.
-Check also on the Client-PC where you want to use the BeyondTrust Access or Rep-Console with SSO if the «KLIST» command list’s the Kerberos Ticket for your BeyondTrust Appliance FQDN. Such a client PC should normally be a member of the AD-Domain where the KERBEROS Ticket comes from and not just some standalone «external PC».
– Verify your Keytab file on linux: please read the following article on github:
-To test if your client can authenticate direct with the SPN you can use for example from this 3rd party site the » Kerberos Authentication Tester «.
– More Information’s regarding BeyondTrust and Kerberos can be found on the manufacturer’s Website under the following Link.
Although i have thoroughly researched and tested the written with BeyondTrust RS 22 and PAM 22/23 – MICRODYN DISCLAIMS ALL WARRANTIES!
Author: MICRODYN – R. Hahn / 13.9.2017 / last update: 03.02.2023
** = BeyondTrust and some mentioned product names in this Article are registered Trademarks of BeyondTrust Corporation in the United States and other countries.
Microdyn AG is only a sales partner of BeyondTrust since many years and excludes any liability with regard to this article.
If you have any questions about this article, please let us know – we will be happy to help you.
