| Product(s): | AssetWise Asset Reliability | ||
| Version(s): | 7.4.0 & 7.5.0 | ||
| Environment: | N\A | ||
| Area: | N/A | ||
| Subarea: | N\A |
Note: Hotfix 221 is required, on the 7.4.0 release, and hotfix 208 is required for the 7.5.0 release.
What is Kerberos authentication?
Kerberos authentication provides a mechanism for mutual authentication between the client and the server. Not only is the server provided assurances that the client is who they say they are, the client is also provided assurances that the server is who they expect it to be, thus avoiding 'man in the middle' attacks.
Kerberos is offered by microsoft as an alternative for NTLM authentication. It is positioned by Microsoft as being more secure, flexible and efficient than NTLM.
More details here: https://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx
Enabling Kerberos authentication for APM
Server Service Principal Name (SPN)
In order to enable Kerberos authentication between a client and a server, the client must construct and specify an SPN. The default format for APM should be:
IvaraServer/{server}:{port}
Where {server} is the name of the server as reported to the server manager and {port} is the port the server is listening on. These are specified in the Server's settings under "network":
More information about Service Principal Names can be found in this MSDN article
Registering the SPN
SPNs must be registered manually in AD using the SetSPN command. A future enhancment is being considered for APM to automatically register an SPN on startup of the service.
The SPN should be registered against the account that the service will run under. In the case of LocalSystem (the recommended credentials), the SPN is registered against the server computer. The SPN must be registered in AD by someone with domain admin authority. It is recommended to register both the NETBIOS and Fully Qualified Domain Name versions of the SPN. Use the following commands from an administrator command prompt:
setspn -s IvaraServer/{server}:port {domain}\{server}
setspn -s IvaraServer/{server.domain.com}:port {domain}\{server}
For example, give the server name in the settings above, run the following commands:
If the service is being run with a domain service account, then the SPN should be registered against the service account instead, with the following commands:
setspn -s IvaraServer/{server}:port {domain}\{service account}
setspn -s IvaraServer/{server.domain.com}:port {domain}\{service account}
Having the SPN registered in AD (by the domain admin) is what provides the assurance to the client that the server is in fact running with the localsystem or domain account credentials as expected.
The SPN can be validated by running the following command:
Setspn -l {domain}\{server}
Or
Setspn -l {domain}\{account}
e.g.:
Configuring the client
Once the SPN has been registered in Active Directory, the client must be configured to enable Kerberos authentication with the correct SPN. To do so, run the ivaraclient packager, and edit the smart client settings. Enable the advanced settings, and set Authentication Protocol to Kerberos and the SPN to "IvaraServer/{server}:{port}" exactly as shown below. Do not substitute the actual server name and port in the client setting, the client will perform the substitution based on the actual server and port it receives from the load balancer when it starts up -- this allows it to dynamically build the correct SPN when utilizing load balancing across multiple servers/ports.
After changing the settings, complete packaging and deployment of the new APM smart client with the revised settings.
See Also
N/A
| Original Author: | Roy Suthers |