Configuring Kerberos Authentication

Enabling support for Kerberos authentication lets you extended your existing Kerberos infrastructure to Imprivata with SSO Authentication Management. Configuring Kerberos authentication delegates user authentication from the Imprivata agent to a non-Imprivata credential collector that is Kerberos-enabled.

In an Imprivata Enterprise Access Management deployment where Kerberos authentication is enabled:

  • Enterprise Access Management implicitly trusts the Kerberos ticket that Windows issues. If the user is successfully authenticated by Windows, Enterprise Access Management authenticates the user, as well.

  • The Imprivata agent is installed on all endpoint computers, but the Imprivata login module is disabled. The user authenticates to Enterprise Access Management through Windows or some other third-party software, such as disk encryption software.

  • If the user policy is configured for single sign-on (SSO), the authenticated user continues to access to their SSO-enabled applications. The Imprivata agent continues to proxy all user credentials to enabled applications. For more information, see Single Sign-On.

Prerequisites

Review the following prerequisites before you begin:

  • Verify that Kerberos is configured and enabled in your Windows environment. This topic details how to configure Enterprise Access Management for Kerberos authentication and assumes that the Kerberos deployment is running normally.

  • The Imprivata keytab utility (keytab utility), which you use to create and upload a keytab file to an appliance, uses ktpass to create and upload a keytab file to an appliance. The keytab utility is installed with the Imprivata agent.

    Ktpass is part of the Microsoft Windows Server resource kit. Beginning with Windows Server 2008, the resource kit tools are installed as part of the server role installation.

  • The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

    For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  • The Service Principal Name (SPN) of the appliance that the keytab utility registers with Active Directory is case-sensitive.

    The hostname and the domain name that appear in the Imprivata Appliance Console of this appliance must contain all lowercase letters.

  • If the Imprivata enterprise includes more than one domain that share a trust relationship, for example a parent company (company.com) and two subdomains (us.company.com and eu.company.com), make sure that at least one appliance is placed in company.com.

    Upload the keytab file to this appliance. Uploading to the appliance that is in the second-level domain (SLD) ensures that the keytab file is valid for all domains.

Authentication Workflow

The following diagram illustrates the authentication workflow between a Windows/Kerberos environment and Enterprise Access Management. The illustration details the following components:

  • A Windows endpoint computer with a non-Imprivata credential collector that is Kerberos-enabled. In this use case, the user authenticates using the Windows login screen.

  • An Imprivata single-user computer agent. The Imprivata agent login module is disabled (unregistered).

  • The Imprivata appliance.

Authentication workflow between a Windows/Kerberos environment and Imprivata OneSign

  1. The user authenticates to the Windows endpoint computer using the Windows login screen. Windows issues the Kerberos ticket.

  2. The Imprivata agent acquires the Windows-issued Kerberos ticket. The agent treats the Kerberos ticket, which contains the users credentials, as a successful capture of login credentials.

  3. The Imprivata agent passes the Kerberos ticket to the Imprivata appliance.

  4. The Enterprise Access Management server verifies that the Kerberos ticket is valid, extracts the user identity for the Kerberos ticket and validates it, and creates the SSO session.

NOTE: Although not illustrated, any software that includes a credential provider and is configured to authenticate users is considered a non-Imprivata credential collector. An example of such is a Check Point® Full Disk Encryption deployment configured to authenticate the user before loading the operating system (pre-boot authentication).

Configuring Kerberos Authentication

Configuring Kerberos authentication requires that you:

Configuring Kerberos authentication requires access to the following:

  • Domain administrator access to an endpoint computer on which the Imprivata agent is installed.
  • The Imprivata Appliance Console.
  • The Imprivata Admin Console.

If more than one person is responsible for domain administration, appliance administration, and Enterprise Access Management administration, coordinate with these individuals before beginning.

Configuring Network Protocol Time (NTP) servers makes sure that the Kerberos ticket does not expire before the appliance can extract the user identity from the Kerberos ticket.

Complete the following for each appliance in the enterprise to enable time synchronization.

  1. In the Imprivata Appliance Console, go to Network > NTP.

  2. Enter the IP address for one or more NTP servers.

  3. Click Save.

The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  1. Log into the endpoint computer.
  2. Open the registry editor and go to the ISXAgent registry key:

    • 64–bit — HKLM\SOFTWARE\SSOProvider\ISXAgent

  3. Use the IPTXPrimServer value to confirm that the agent's primary appliance is in the same Active Directory domain as the endpoint computer.

Creating and uploading a keytab file establishes a Kerberos trust relationship between Enterprise Access Management and Microsoft Active Directory. You use the Imprivata key tab utility, which is installed with the Imprivata agent, to create and upload a keytab file. After the keytab file is uploaded to the appliance, it is propagated to all other appliances in the enterprise.

NOTE: Obtain the administrator user credentials of the appliance to which you are uploading the keytab file. The Imprivata keytab utility requires these credentials to upload the keytab file.

  1. As a domain administrator, log into an endpoint computer to which the Imprivata agent is installed and open a command prompt.

  2. At the command prompt, type the following and press Enter:
    cd \Program Files (x86)\Imprivata\OneSign Agent\x64

  3. Type ISXKerbUtil and press Enter. The utility returns the names of the following:

    • The domain.

    • The domain controller.

    • The appliance host name in the Service Principal Name (SPN) format.

  4. Using the User Principal Name (UPN) format, type the username of the domain account that has Super Administrator rights in the Admin Console and press Enter.

    Example: username@example.com

  5. Enter the password of the domain account, with the Super Administrator rights you provided above, and press Enter.

  6. Enter a password that meets the Active Directory complexity requirements and press Enter. The utility does the following:

    • Creates a domain user account named ssoKerberos.

    • Sets the password.

    • Creates and uploads the keytab file to the appliance.

    NOTE: If the Imprivata keytab utility detects that a domain user account is already mapped to the SPN, it updates the domain account with the password you entered. If the utility detects that multiple domain user accounts are mapped to the SPN, the utility detects which user it previously created and updates it with the password you entered; the remaining users are removed from the SPN.

The Imprivata keytab utility creates the keytab file with all of the supported cryptographic types supported by Windows Server.

NOTE: Only 1 keytab file is allowed per Imprivata enterprise.

  1. In the Imprivata Admin Console, go to the Users menu > Directories page.

  2. Click the name of the domain from which you created the keytab file.

  3. Go to Kerberos authentication and click 5 keytab files.

  4. Verify that the keys are using the following cryptographic types:

      • DES cbc mode with CRC-32

      • DES cbc mode with RSA-MD5

      • ArcFour with HMAC/md5

      • AES-256 CTS mode with 96-bit SHA-1 HMAC

      • AES-128 CTS mode with 96-bit SHA-1 HMAC

Identify the computers to which Kerberos authentication applies and configure a computer policy. Configuring the computer policy enables the computers in the policy for Kerberos authentication.

Step 6a: Create a Computer Policy for Endpoint Computers

  1. In the Imprivata Admin Console go to the Computers menu > Computer policies page.

    You can select an existing computer policy from the list, or make a copy of the Default Computer Policy as a starting point. If you want to edit an existing computer policy, click the existing computer policy name, and skip to Step 6b: Configure the Computer Policy for Endpoint Computers.

  2. To copy the Default Computer Policy, select Default Computer Policy , then click Copy.

  3. Click Default Computer Policy (2).

  4. Rename the computer policy.

Step 6b: Configure the Computer Policy for Endpoint Computers

  1. Click the General tab, go to the Authentication section, and select Accept Kerberos authentication in place of OneSign authentication.

  2. Click Save.

Step 6c: Assign the Computer Policy to Endpoint Computers

To manually assign the computer policy:

  1. Go to the Computers menu > Computers page.

  2. Select the computers to which you want to apply the computer policy.

  3. Select Change policy

  4. Select Choose a policy and the name of the policy configured for Kerberos authentication.

  5. Click Change Policy.

Use computer policy assignment rules to assign a computer policy to existing endpoint computers and to automatically assign the policy to endpoint computers added in the future.

  1. Go to the Computers menu > Computer policy assignment page.

  2. Click Add new rule.

  3. Enter a Name for the assignment rule.

  4. Select one of the following:

    • Computer IP address, and then enter the range of IP addresses to include in the computer policy.

    • Computer host name to match the computer policy to a specific computer.

    • Imprivata agent type to apply the computer policy to all computers with a specific Imprivata agent.

Disabling (unregistering) the Imprivata agent login module prevents Enterprise Access Management from authenticating users, ensuring that Kerberos authentication is enforced on the endpoint computer.

  1. As a domain administrator, log into an endpoint computer that is enabled for Kerberos authentication and open a command prompt.
  2. At the command prompt, type:
    • 64–bit — cd \Program Files (x86)\Imprivata\OneSign Agent\x64 and press Enter
  3. Type:
    • 64–bit — regsvr32 /u ISXCredProv.dll and press Enter.
  4. Type:
    • 64–bit — ISXCredProvDiag.exe /unwrapall and press Enter.
  5. Close the command prompt window.

The Imprivata OneSign login module is disabled on the endpoint computer.

BEST PRACTICE: To disable the Imprivata OneSign login module on multiple endpoint computers, use the Microsoft Group Policy Management Editor to create or modify a group policy object to disable the dynamic link library and executable.

While the Imprivata agent login module remains disabled, enabling (registering) the Imprivata credential manager module ensures that Enterprise Access Management continues to manage application single sign–on after users change their password.

  1. As a domain administrator, log into an endpoint computer that is enabled for Kerberos authentication and open a command prompt.
  2. At the command prompt, type:
    • 64–bit — cd \Program Files (x86)\Imprivata\OneSign Agent\x64 and press Enter.
  3. Type:
    • 64–bit — regsvr32 ISXCredMan.dll and press Enter.

BEST PRACTICE: To enable the Imprivata credential manager module on multiple endpoint computers, use the Microsoft Group Policy Management Editor to create or modify a group policy object to enable the dynamic link library.