Enabling Kerberos Authentication between EPMM and the SCEP and LDAP servers
You can use Kerberos authentication to communicate between Ivanti EPMM and the SCEP and LDAP servers. The following sections discuss how to enable Kerberos authentication on servers and Ivanti EPMM.
Pre-configuration steps
-
In the Active Directory server, check that a service account is available.
-
In the SCEP Server, check that the service account is a member of the local IIS_USRS group.
-
In the CA server certificate template that is being provisioned, check that the service account has enroll permission.
-
In the CA server certificate template that is being provisioned, check that the service account has enroll permission.
Configuring Windows servers
-
Run the following command on a domain controller:
-
In Active Directory Users and Computers click the Delegation tab of the service account:
- Under Trust this user for delegation to specified services only, select Use Kerberos Only.
- Click Add and add the SCEP server name.
- Select the http service.
- Click OK.
-
Do the following in the IIS server to make sure that Application Pool credentials are used to decrypt Kerberos tickets:
-
Check that the SCEP Application Pool is running under the service account.
-
Disable Kernel mode and enable useAppPoolCredentials.
-
Make sure that Negotiate is the first choice in the Authentication > Providers dialog box.
-
Restart the IIS service.
setspn -s http/<SCEP-SERVER-FQDN> <domain>\<service account>
Configuring Kerberos
This section discusses how to configure Kerberos on Ivanti EPMM server.
Configuring Kerberos settings in Ivanti EPMM
In Ivanti EPMM Admin Portal > Settings > System Settings > Security > Outbound Kerberos Authentication, enter the following:
UI Section |
Choice |
Active Directory's Kerberos Realm |
IVANTI.COM |
Corresponding Key Distribution Center (KDC) server | |
Domains for outbound communication with Microsoft AD Certificate Services (Hostnames (not case sensitive) must end in .ivanti.com or .IVANTI.COM) - LDAP server: You can also use hostnames, such as: ad.ivanti.com - SCEP/NDES server: You can also use hostnames, such as: ndes.ivanti.com or scep.ivanti.com |
|
Service user credentials |
user@realm For example: [email protected] |
Enabling Kerberos authentication on the Microsoft SCEP Certificate Enrollment configuration
To enable Kerberos authentication, in the Edit SCEP Certificate Enrollment Setting window (Policies&Configs > Configurations > Edit existing or Add new > Certificate Enrollment > SCEP) enable the checkbox Prefer Kerberos authentication.
Enabling Kerberos authentication on the LDAP configuration
To change the LDAP configuration, in the Modifying LDAP Setting window (Services > LDAP), enable the Kerberos authentication method in the Advanced options.
- Note: LDAP Kerberos authentication is supported only in direct mode.
Ivanti does not yet support Kerberos authentication in LDAP with connector mode.