Enabling Kerberos Authentication between EPMM and the SCEP and LDAP servers

You can use Kerberos authentication to communicate between Ivanti EPMM and the SCEP and LDAP servers. The following sections discuss how to enable Kerberos authentication on servers and Ivanti EPMM.

Pre-configuration steps

  1. In the Active Directory server, check that a service account is available.

  2. In the SCEP Server, check that the service account is a member of the local IIS_USRS group.

  3. In the CA server certificate template that is being provisioned, check that the service account has enroll permission.

  4. In the CA server certificate template that is being provisioned, check that the service account has enroll permission.

Configuring Windows servers

  1. Run the following command on a domain controller:

  2. setspn -s http/<SCEP-SERVER-FQDN> <domain>\<service account>

  3. In Active Directory Users and Computers click the Delegation tab of the service account:

    1. Under Trust this user for delegation to specified services only, select Use Kerberos Only.
    2. Click Add and add the SCEP server name.
    3. Select the http service.
    4. Click OK.
  4. Do the following in the IIS server to make sure that Application Pool credentials are used to decrypt Kerberos tickets:

    1. Check that the SCEP Application Pool is running under the service account.

    2. Disable Kernel mode and enable useAppPoolCredentials.

  5. Make sure that Negotiate is the first choice in the Authentication > Providers dialog box.

  6. Restart the IIS service.


Configuring Kerberos

This section discusses how to configure Kerberos on Ivanti EPMM server.

Configuring Kerberos settings in Ivanti EPMM

In Ivanti EPMM Admin Portal > Settings > System Settings > Security > Outbound Kerberos Authentication, enter the following:

Table 80.  Outbound Kerberos Authentication

UI Section

Choice

Active Directory's Kerberos Realm

IVANTI.COM
Corresponding Key Distribution Center (KDC) server

kdc.ivanti.com

Domains for outbound communication with Microsoft AD Certificate Services

(Hostnames (not case sensitive) must end in .ivanti.com or .IVANTI.COM)

- LDAP server: You can also use hostnames, such as: ad.ivanti.com

- SCEP/NDES server: You can also use hostnames, such as: ndes.ivanti.com or scep.ivanti.com

Service user credentials

user@realm

For example: [email protected]

Enabling Kerberos authentication on the Microsoft SCEP Certificate Enrollment configuration

To enable Kerberos authentication, in the Edit SCEP Certificate Enrollment Setting window (Policies&Configs > Configurations > Edit existing or Add new > Certificate Enrollment > SCEP) enable the checkbox Prefer Kerberos authentication.

Enabling Kerberos authentication on the LDAP configuration

To change the LDAP configuration, in the Modifying LDAP Setting window (Services > LDAP), enable the Kerberos authentication method in the Advanced options.

    Note: LDAP Kerberos authentication is supported only in direct mode.
    Ivanti does not yet support Kerberos authentication in LDAP with connector mode.