Kaspersky Anti Targeted Attack Platform
7.0
English

Contents

Authentication using domain accounts

If authentication using domain accounts is configured, users do not have to enter Kaspersky Anti Targeted Attack Platform account credentials to connect to the application web interface.

To enable authentication using domain accounts:

  1. Configure integration with Active Directory.

    To set up the Active Directory integration, you must create a keytab file containing the

    service principal name (hereinafter also "SPN")
    for the Central Node server on which you want to set up the integration.

  2. Select the Domain user account authentication type for the user when creating the account.

In this Help section

Creating a keytab file

Configuring integration with Active Directory

Disabling integration with Active Directory
Page top
[Topic 247462]

Creating a keytab file

You can create one user account to authenticate at multiple Central Node servers. Service principal name (SPN)To do so, you must create a

keytab file
that contains service principal names (hereinafter also SPN) for each of these servers. When you create the keytab file, you must use an attribute to generate a salt (hash function input modifier).

The generated salt must be saved in any convenient way for adding more SPNs to the keytab file in the future.

You can also create a separate Active Directory user account for each Central Node server for which you want to set up Kerberos authentication.

To create a keytab file using one user account:

  1. On the domain controller, in the Active Directory Users and Computers snap-in, create a user account (for example, with control-user as its name).
  2. If you want to use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
    1. Open the properties of the user account that you have created.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Use the ktpass utility to create a keytab file for the control-user user. To do so, run the following command on the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to the file>\<file name>.keytab

    The utility requests the control-user password when executing the command.

    The SPN of the selected server is added to the created keytab file. The generated salt is displayed on screen: Hashing password with salt "<hash value>".

  4. Add an SPN record for each subsequent Central Node server to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"

    The utility requests the control-user password when executing the command.

The keytab file is created. This file contains all added SPNs of selected servers.

Example:

For example, you need to create a keytab file containing SPN names of 3 servers: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a filename1.keytab file containing the SPN of the server in C:\keytabs\, run the command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\keytabs\filename1.keytab

Let's say you got "TEST.LOCALHTTPcontrol-01.test.local" as the salt.

To add another SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

To add a third SPN:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

This creates a filename3.keytab file containing all three added SPNs.

To create a keytab file using a separate account for each Central Node server:

  1. On the domain controller server, in the Active Directory Users and Computers snap-in, create a separate user account for each server (for example, control-user, secondary1-user, secondary2-user, etc).
  2. If you want to use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
    1. Open the properties of the user account that you have created.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Use the ktpass utility to create a keytab file for the control-user user. To do so, run the following command on the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to the file>\<file name>.keytab

    The utility requests the control-user password when executing the command.

    The SPN of the selected server is added to the created keytab file.

  4. Add an SPN record for each subsequent Central Node server to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser secondary1-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab

    The utility requests the secondary1-user password when executing the command.

The keytab file is created. This file contains all added SPNs of selected servers.

Example:

For example, you need to create a keytab file containing SPN names of 3 servers: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a filename1.keytab file containing the SPN of the server in C:\keytabs\, run the command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\keytabs\filename1.keytab

To add another SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser secondary1-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab

To add a third SPN:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser secondary2-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab

This creates a filename3.keytab file containing all three added SPNs.

Page top

[Topic 228435]

Configuring integration with Active Directory

To configure integration with Active Directory:

  1. Log in to the web interface with the application administrator account.
  2. In the window of the application web interface, select the Settings section, Users subsection.
  3. Go to the Active Directory integration tab.
  4. Select the Integration check box if you want to enable integration with Active Directory.
  5. Click Browse to upload the keytab file.
  6. Select the keytab file and click Open.

    After you upload the file, the following fields are displayed:

    • Keytab file status. Possible values:
      • File contains SPN for this server means the uploaded keytab file contains the SPN for that Kaspersky Anti Targeted Attack Platform server.
      • No SPN for this server means the uploaded keytab file does not contain the SPN for that Kaspersky Anti Targeted Attack Platform server.
    • File contents is the list of SPNs that the file contains.
  7. Click Apply.

Integration with Active Directory is configured.

In

distributed solution
and
multitenancy mode
, Active Directory integration settings configured on the PCN server are not applied to SCN servers connected to that PCN server. If you want to set up Active Directory integration on individual SCN servers, you must complete the steps above on each of the selected SCN servers.

Page top
[Topic 247461]

Disabling integration with Active Directory.

When integration with Active Directory is disabled, user authentication with domain accounts is not available.

To disable integration with Active Directory:

  1. Log in to the web interface with the application administrator account.
  2. In the window of the application web interface, select the Settings section, Users subsection.
  3. Go to the Active Directory integration tab.
  4. Clear the Integration check box.
  5. Click Apply.

Integration with Active Directory is disabled. The uploaded keytab file is permanently deleted.

In distributed solution and multitenancy mode, Active Directory integration settings configured on the PCN server are not applied to SCN servers connected to that PCN server. If you want to disable Active Directory integration on individual SCN servers, you must complete the steps above on each of the selected SCN servers.

Page top
[Topic 247464]