Configuring Kerberos authentication for DFS

Authentication to DFS servers using Kerberos requires additional setup in the KDC and the Standalone Sentry system manager. To support Kerberos authentication for DFS, map the SPN of the CIFS service domain to one of its domain controllers (DC). If your Kerberos environment has multiple domain controllers (DC), to avoid authentication failure, add the DC you are mapping to as a static host in the Ivanti Standalone Sentry system manager.

If your Kerberos environment has multiple domain controllers (DC), note that you can only map the SPN of the CIFS service domain to one DC.

Before you begin 

Setup Ivanti Standalone Sentry for authentication using Kerberos. See Configuring authentication using an identity certificate and Kerberos constrained delegation.See Authentication using an Identity certificate and Kerberos constrained delegation

Procedure 

1.

Map the SPN of the domain to one of its Domain Controllers (DC).

2.

On the KDC, associate the Standalone Sentry service account to the CIFs service.

3.

If the domain contains multiple DCs, add a static host for the DC in the Standalone Sentry system manager:

Sign in to the Ivanti Standalone Sentry system manager.

Go to Settings > Static Hosts.

Click Add.

Configure the following:

IP address: IP address of the DC.

FQDN: FQDN of the DC entered in Step 1.

Alias: short name of DC followed by space.

Example:

IP Address: 192.168.10.5

FQDN: win2k8.texas.enterprise.com

Alias: win2k8 texas.enterprise.com

Click Save.

Related topics 

•

Static Hosts.