How to turn on Kerberos authentication

Configure Kerberos authentication in XG Firewall.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Specify a hostname for XG Firewall.
  • Configure an active directory server.
  • Confirm the active directory server is the primary service for authentication.
  • Turn on AD SSO for the zones requiring Kerberos authentication.
  • Turn on Kerberos authentication for Web authentication.

Configure a Hostname

Services such as Kerberos require a fully qualified hostname to work correctly.

  1. Go to Administration > Admin settings
  2. For Hostname enter an FQDN. Example: SFOS.customer.local
    Note By default, the serial number is used as the hostname if you don't configure a specific FQDN hostname during the initial setup of XG Firewall.
  3. Click Apply.

Add an Active Directory server

First, you add an Active Directory server that includes a search query.

You’ll need the following information to complete this task:
  • Domain name
  • NetBIOS domain
  • Active Directory server password

Check the properties of the Active Directory server. For example, on Microsoft Windows, go to Windows Administrative Tools.

Search queries are based on the domain name (DN). In this example, the domain name is sophos.com, so the search query is: dc=sophos,dc=com.

  1. Go to Authentication > Servers and click Add.
  2. Specify the settings.
    Note For settings not listed here, use the default value.
    Use the password configured on the Active Directory server.
    OptionDescription
    Server type Active directory
    Server name My_AD_Server
    Server IP/domain 192.168.1.100
    NetBIOS domain sophos
    ADS username administrator
    Password <AD server password>
    Domain name sophos.com
    Search queries dc=sophos,dc=com
  3. Click Test connection to validate the user credentials and check the connection to the server.
    Note When both synchronized user ID and STAS are configured, the authentication server uses the mechanism from which it receives the sign-in request first.
  4. Click Save.

Set primary authentication method

To query the Active Directory server first, set it as the primary authentication method. When users sign in to the firewall for the first time, they are automatically added as a member of the default group specified.

  1. Go to Authentication > Services.
  2. In the authentication server list under Firewall authentication methods, select My_AD_Server.
  3. Move the server to the first position in the list of selected servers.
  4. Click Apply.

Go to Authentication > Groups and verify the imported groups.

Turn on AD SSO for LAN zones

Turn on Active Directory authentication for the required zones.

Active Directory authentication is required for Kerberos or NTLM to work.

  1. Go to Administration > Device access.
  2. Use the checkbox to turn on AD SSO for the LAN zone. You can also turn on AD SSO for other zones if required.
  3. Click Apply

Turn on Kerberos authentication for Web authentication

Allows browsers to authenticate using Kerberos.

  1. Go to Authentication > Web authentication.
  2. Make sure Kerberos & NTLM is selected under If Active Directory (AD) SSO is configured.
  3. Click Apply.

Check Kerberos connection

Use the Log viewer to check Kerberos is working.

Once Kerberos has been configured you can check that web requests are being authenticated correctly.

  1. Open the Log viewer.
  2. Using the drop-down menu select the Authentication logs.
  3. Open a web page in your browser.
  4. Check that Kerberos is the authentication protocol used in the Log component column for the web request.