How to prepare and setup KERBEROS / SSO with BeyondTrust Privileged Remote Access or Remote Support?

Step1: Read the following BeyondTrust Article. It will prepare you well regarding the prerequisites to configure KERBEROS Security Provider with BeyondTrust.

Step 2 – 4 are not described in the manufacturer article. We close here the GAP to give you an easy way creating a secure .keytab file.Step2: Create a new Active Directory User Account with Support for AES 256 Bit Encryption for later mapping with the Kerberos Service Principal name.
Example User Account Name: BG_Kerberos_SPN
1. Open “Active Directory Users and Computers” then create a User Account [BG_Kerberos_SPN].
2. Click the Tab “Account” and set the account options for this account to “This Account supports Kerberos AES 256 Bit Encryption“.

Step3: On your Windows DC use “SETSPN -S” to add the SPN for your BeyondTrust System to Kerberos.
Please refere also the following MS Article regarding SETSPN.
Examples for this command:
1. setspn -S http/[supportsiteFQDN] [ADUserAccount] 
2. setspn -S http/appliancenodename.mydomain.com BG_Kerberos_SPN      (replace orange text with your params.)

Step4: Use “KTPASS” on your Windows DC to configure the Service Principle Name for the Host and generate the .Keytab File.
Please refere also the following MS Article regarding KTPASS.
Examples for this command:
1. ktpass /princ HTTP/[supportsiteFQDN]@[ADDomainName] /mapuser [ADUserAccount] /pass [ADUserPassword] /out [KeyTabFileName].keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /mapop add
2
. ktpass /princ HTTP/appliancenodename.mydomain.com@myADDomainName.local /mapuser BG_Kerberos_SPN /pass mapuserPassword /out c:\temp\keytabfile1.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /mapop add
The /crypto AES256-SHA1 and /mapop add Params are important to force SSO to work with a strong and current Cypher Suite from TLS 1.2 and not just with old ones like DES.

Step5: Import the KERBEROS Keytab File in BOMGAR.
Log on to the BOMGAR appliance under / login as “admin”.
Open the Tab “Users and Security”, then “Kerberos Keytab”.

Select your c:\temp\keytabfile1.keytab and upload it to the appliance.

Step6: Create a new LDAP Group Security Provider.
Log on to the BeyondTrust appliance under / login as “admin”.
Open Tab “Users and Security” then “Security Providers”.
Please refere also here regarding adding a new LDAP Group Lookup Security Provider in BeyondTrust RS or PRA.
Create a new LDAP Group Security Provider in BeyondTrust .
Make sure that “user authentication” is set to “disabled”.
Make sure that “Lookup Groups using this provider” is set to “enabled”.
Test the security provider now with an LDAP User. It must work, before you proceed to the next step.

Step7: Create a new KERBEROS Security Provider.
Log on to the BeyondTrust appliance under / login as “admin”.
Open Tab “Users and Security” then “Security Providers”.
Create a new KERBEROS Security Provider.
Make sure that the previously created LDAP Group Security Provider is selected in your new Kerberos Security Provider.

Step8: Add your Active Directory LDAP Groups to BeyondTrust Group Policies.
Log on to the BeyondTrust appliance under / login as “admin”.
Open Tab “Users and Security” then “Group Policies” .
Add all neccesary LDAP Groups you created to define BeyondTrust Teams or Rights to your corresponding BeyondTrust Group Policies.

Step9: Try now KERBEROS login from BeyondTrust Access or Rep Console.
Start BeyondTrust Access or Rep Console and select Authenticate Using: “Current Kerberos Credentials
SSO Login should should now work without typing in any username or password.

Step10: Troubleshooting:
-If KERBEROS SSO login does not work – check BeyondTrust – Kerberos Security Provider Logs.
-Check also on the Client-PC where you want to use the BeyondTrust Access or Rep-Console with SSO if the “KLIST” command list’s the Kerberos Ticket for your BeyondTrust Appliance FQDN. Such a client PC should normally be a member of the AD-Domain where the KERBEROS Ticket comes from and not just some standalone “external PC”.
-To test if your client can authenticate direct with the SPN you can use for example from this 3rd party site the ” Kerberos Authentication Tester “.

Although i have thoroughly researched and tested the written with BeyondTrust RS 16 and PAM 17 – MICRODYN DISCLAIMS ALL WARRANTIES!
Author: MICRODYN – R. Hahn / 13.9.2017

 

Scroll to Top