The steps involved in Kerberos authentication involve the following actions:
1 |
Initial Authentication for a Kerberos Session (Kerberos step 1) |
2 |
Subsequent Kerberos Authentications (Kerberos step 2) |
Foglight Agent Manager always generates an auth.login.config file that is used for Kerberos. It is generated by the Agent Manager on both UNIX® and Windows®, and is used to configure the Kerberos module that the Agent Manager uses for authentication. This file is located in the <fglam_dir>/state/default/config directory, and must never be modified.
• |
• |
UNIX: |
• |
/etc/krb5.conf |
• |
To detect the settings on Windows, the following environment variables are checked:
• |
%LOGONSERVER%: Provides the name of the domain controller that authenticated the client's logon to the machine. This value is just the simple name of the KDC, but the fully qualified name must be used in the configuration file. |
• |
%USERDNSDOMAIN%: Provides the fully qualified DNS domain that the currently logged on user's account belongs to. |
If the Kerberos configuration file is generated by the Agent Manager, it is placed in the <fglam_dir>/state/default/config/krb5.config file, and an entry is added to the <fglam_dir>/state/default/config/fglam.config.xml file so that the Agent Manager is aware of the file location. An example of this entry on Windows is as follows:
If the file is not generated, you can generate your own file, add a value for the krb5-config-file entry in the fglam.config.xml file, and restart the Agent Manager.
The Kerberos configuration file typically looks like:
• |
The default_realm value is used to determine what KDC should be used, if the realm cannot be determined from the domain. |
• |
The [realms] section is used to provide the KDC for the specified realm |
• |
The [domain_realm] section is used to map the domain to the realm to use. |
So for example, if connecting to a host A with user credential example.com\UserX, the kerberos file is used as follows:
1 |
2 |
3 |
The realm EXAMPLE.COM is then found, and its KDC value is used to determine the KDC to use for authentication. |
4 |
The KDC, HOST1.EXAMPLE.COM, is then communicated with for authentication. |
In another example, if connecting to a host B with user credential other.domain\UserY, the same Kerberos file is used as follows:
1 |
2 |
The domain other.domain does not map to any realm in the domain_realm section, so the KDC is attempted to be resolved from the DNS. |
3 |
Typically, the DNS does not find the KDC for the different domain, and so the default_realm value, EXAMPLE.COM is used instead. |
4 |
The realm EXAMPLE.COM is then found, and its KDC value is used to determine the KDC to use for authentication. |
5 |
The KDC, HOST1.EXAMPLE.COM, is then communicated with for authentication of the user credential. |
To specify a non-default realm to use for the other.domain value is the second example, the Kerberos configuration file can be modified as follows
Now, if a domain of other.domain is encountered, the realm used will be OTHER.DOMAIN instead of the default_realm value since there is a domain mapping entry. This can be repeated for other domains and realms.
This is the reason that fully qualified domain names be used for the domain value of the credential. Also, to prevent any possible DNS issues with the KDC, the fully qualified name of the host should be used, such as A.example.com or B.other.domain.
The Basic authentication mechanism simply provides HTTP headers to the remote machine, to provide the credentials that should be used for authentication. There is no use of a configuration file or a KDC. The mechanism provides no protection for the transmitted credentials, since they are simply encoded in base64 and not encrypted or hashed. To address any security concerns, it is recommended that Basic authentication attempts are made over an HTTPS and not HTTP connection. Since the KDC is not involved in the authentication process, the credentials used for Basic authentication must be local user credentials, such as local user credentials for the remote machine, and not domain user credentials.
The Agent Manager supports Basic and Negotiate WinRM authentication schemes with Windows credentials. The Negotiate authentication scheme is enabled by default in WinRM and is the recommended way to authenticate in most environments.
In order to establish connections over Windows® Remote Management (WinRM), you must provide a Windows credential. For more information, see Configuring credentials.
The Basic authentication scheme requires local Administrator accounts; you cannot use domain accounts. For more information, see Promoting remote users to administrators on local machines through the Domain Controller. Basic authentication is insecure because it transmits user names and passwords in an easily decoded string, and therefore it should not be used on an untrusted network. If Basic authentication is required, and security is a concern, configure the target system to accept only HTTPS traffic. For more information, see Manually configuring WinRM HTTPS access. If Basic authentication is not acceptable in your environment because of some specific security concerns, it can always be disabled.
You can also use Windows Group Policy Objects to automatically configure HTTP or HTTPS listeners in WinRM. For more information, see Using Group Policy Objects to configure WinRM.
You can also use the Enable WinRM authentication based on only Basic or Negotiate type switch in the FglAMAdapter Properties view to decide which WinRM authentication scheme will be used.
• |
False: Negotiate authentication scheme will be attempted at first. If Negotiate fails, then Basic authentication will be attempted. |
• |
Recent versions of Windows® OS include WinRM, but it is disabled by default. There are two ways to configure HTTP or HTTPS: manually or using Group Policy Objects.
The default WinRM settings allow only Negotiate authentication.
3 |
Optional. If Negotiate authentication is enabled, and you want to disable it, type the following: |
TIP: To enable or disable either Basic or Negotiate authentication, use the following command syntax:
winrm set winrm/config/service/auth @{<Basic|Negotiate>="<true|false>"} |
The certificate must be granted by a recognized certificate-granting authority (CA) in order for the Agent Manager to authenticate it. Otherwise you must install the root CA certificate in the Agent Manager’s trusted keystore, as described in Installing HTTPS certificates.
• |
host is a fully qualified host name, as it appears in the certificate. |
• |
thumbprint is the certificate thumbprint, with spaces removed. |
1 |
On the target machine, click Start. |
2 |
3 |
4 |
The Console Root window appears. |
5 |
6 |
In the Add or Remove Snap-ins dialog box that appears, in the Available snap-ins area, select Group Policy Object, and click Add. |
7 |
8 |
9 |
In the Console Root window, in the navigation tree on the left, choose Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service. |
11 |
After you have edited the settings as necessary for your environment, close the Console Root window. |
2 |
Launch a command shell on the Agent Manager machine, and navigate to the <fglam_home>/bin directory. |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center