Configuring the Edge Gateway to enable Kerberos authentication¶
It is recommended to place AD domain administrator accounts in the Protected Users group. Once these accounts are placed in Protected Users, NTML connections are no longer possible and the Kerberos protocol will be used.
For this change to be taken into account in cyberelements.io or cyberelements Cleanroom, the krb5-config package must be configured on the Edge Gateway servers to enable them to use Kerberos.
Note
For this part to work, a Kerberos flow must be open between the Edge Gateway servers and the AD domain controller server (this server acts as the KDC, Kerberos Domain Controller).
As a reminder, this is a default flow UDP 88. The following configuration retrieves Kerberos information via DNS, so the UDP 53 flow is also necessary.
Use the following command line:
1 | |
Enter the Kerberos realm by typing the name of your domain (FQDN) in uppercase.
Example
domain: domain.local
realm: DOMAIN.LOCAL
Then respond <NO> so that you do not have to perform any manual configurations. In this case, all Kerberos-related information will be retrieved via DNS.
Information
For all advanced and manual settings, you will need to modify the file /etc/krb5.conf (no service restart required after modification).
The configuration information can be obtained via man 5 krb5.conf.
At this stage, and if no strong Kerberos authentication is required, the connection to privileged RDP applications in agentless mode (HTML5 or not) should work with user accounts belonging to Protected Users. The configuration of the RDP application must meet certain prerequisites.