To enable kerberos user authentication on a Clearswift Secure Web Gateway for different Windows environments, you have to complete the following steps:
1. Create a service-user account in Active Directory
– User logon name: HTTP/FQDN_OF_APPLIANCE
– User logon name (pre-Windows 2000): for example svc_123
– Check „User cannot change password„
– Check „Password never expires„
Only for Windows Server 2008 / Windows 7 environments:
– Check „This account supports Kerberos AES 256 bit encryption
– Check “Account expires never”
2. Create a Keytab-File
– Open a DOS command prompt on Windows domaincontroller and enter the following command for a Windows Server 2008 / Windows 7 environment:
“ktpass –princ HTTP/HOSTNAME_OF_APPLIANCE@DOMAIN –mapuser svc_123@DOMAIN –crypto AES256-SHA1 –ptype KRB5_NT_Principal –pass COMPLEX_PASSWORD –out C:/keytabfile.key”
Use this command for a Windows Server 2008 / 2003 – Windows 7 / Windows XP mixed environment:
“ktpass –princ HTTP/HOSTNAME_OF_APPLIANCE@DOMAIN –mapuser svc_123@DOMAIN –crypto RC4-HMAC-NT –ptype KRB5_NT_Principal –pass COMPLEX_PASSWORD –out C:/keytabfile.key”
Make sure that the DOMAIN is written in capital letters!
3. Upload Keytab-File and configure CSWG
CSWG: System – Proxy Settings – Authentication Settings
– User Authentication is Enabled
– Your users will be asked for authentication details.
– The Web Proxy will respond to Kerberos protocol only.
– The Web Proxy will reject responses made using other protocols.
– Kerberos Distribution Center
– The Kerberos Distribution Center is located at “FQDN_OF_DOMAINCONTROLLER”
– Kerberos Key Tab File
– Upload the Keytab-File
– Apache Access Log is Enabled
– Apache access logs are being generated by the Web Gateway.
4. Test authentication
– Enter „Domain User Name”
– Enter „User Password„
– Run Test
You should get now a “successfully authenticated” message.