How to configure Kerberos Authentication on a Clearswift Secure Web Gateway for different Windows environments

To enable kerberos user authentication on a Clearswift Secure Web Gateway for different Windows environments, you have to complete the following steps:

1. Create a service-user account in Active Directory


User logon name (pre-Windows 2000): for example svc_123

Check „User cannot change password

– Check „Password never expires

Only for Windows Server 2008 / Windows 7 environments:

– Check „This account supports Kerberos AES 256 bit encryption

– CheckAccount expires never

2. Create a Keytab-File

– Open a DOS command prompt on Windows domaincontroller and enter the following command for a Windows Server 2008 / Windows 7 environment:

“ktpass –princ HTTP/HOSTNAME_OF_APPLIANCE@DOMAIN –mapuser svc_123@DOMAIN –crypto AES256-SHA1 –ptype KRB5_NT_Principal –pass COMPLEX_PASSWORD –out C:/keytabfile.key”

Use this command for a Windows Server 2008 / 2003 – Windows 7 / Windows XP mixed environment:

“ktpass –princ HTTP/HOSTNAME_OF_APPLIANCE@DOMAIN –mapuser svc_123@DOMAIN –crypto RC4-HMAC-NT –ptype KRB5_NT_Principal –pass COMPLEX_PASSWORD –out C:/keytabfile.key”

Make sure that the DOMAIN is written in capital letters!

3. Upload Keytab-File and configure CSWG

           CSWG: System – Proxy Settings – Authentication Settings

– User Authentication is Enabled

– Your users will be asked for authentication details.

– The Web Proxy will respond to Kerberos protocol only.

– The Web Proxy will reject responses made using other protocols.

– Kerberos Distribution Center

– The Kerberos Distribution Center is located at “FQDN_OF_DOMAINCONTROLLER”

– Kerberos Key Tab File

– Upload the Keytab-File

– Apache Access Log is Enabled

– Apache access logs are being generated by the Web Gateway.

4. Test authentication

– Enter „Domain User Name

– Enter „User Password

Run Test

You should get now a “successfully authenticated” message.

Schreibe einen Kommentar