Support for Kerberos

Hi,

Would like to see support for kerberos protocol.
Not much use making a admin account member of Protected Users group when AuthPoint do not support Kerberos.

If the user account do not allow ntlm authentication authpoint gives us this:

Reason: The LDAP password is not valid.
Error: 201.045.003 - Authentication transaction is not authorized.

/Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rv@kaufmann.dk
    Support for that group was added in AuthPoint agent 2.5 -- if you're not already running that version, I'd suggest doing so and trying that.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson

    Sorry for not being more specific. Yes, you are correct kerberos authentication works with the Windows logon app agent, but it is not supported on https://authpoint.watchguard.com/kaufmann and firebox authentication.

    /Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rv@kaufmann.dk
    Generally these types of accounts will be used only for administrative purposes, for example, using the run as command to run a task. I'd be happy to make a feature request -- but what types of circumstances would have an administrative user using the IDP portal and logging in via the firebox itself?

    -James Carson
    WatchGuard Customer Support

  • @james.carson

    I do have some "external" parties (very limited) which also is administrators, and we can disable the use of firebox authentication as they have access via VMWare also to the guest. They are admins at 1 of our sites, but not at other sites we are running.

    At other times we have accounts which has to be admins on specific servers and here we would benefit from the value we get from the membership of Protected Users group.

    2 of those i send WG hardware tokens which they had to activate, but was unable to do so before i removed them from the Protected Users group.

    Of cause i could activate them in the portal and i can add the users back afterwords to the protected users group. But in day 2 day life, it would be a nice feature if fireware, and AuthPoint, had support for kerberos also.

    Does it make sense?

  • edited June 12

    Windows Hello and UAC is supported in the v3.2 version of the Agent for Windows for admins and protected users to go passwordless and verify privilege elevation (vs. consent). It can also be installed on Windows Server. Kerberos is supported in Windows and Windows Server. To support Kerberos SSO, your network requires:

    A Kerberos infrastructure, including a key distribution center (KDC) with an authentication server (AS) and ticket-granting service (TGS), which you can deploy with a Windows Server domain controller. This is not an option for AuthPoint as we do not provide on-premises servers.

  • @HeadofAuthPoint

    What is the roadmap when Microsoft deprecate all versions of ntlm in the next version of WIndows client and server.

    /Robert

Sign In to comment.