DocumentationRelease Notes
Log In
Documentation

Kerberos

Suggest Edits

⚠️

Important information about integrating BeyondTrust with security providers

By integrating your B Series Appliance with your company's directory stores, IT administrators can easily manage user access to BeyondTrust accounts. Configure BeyondTrust to use your existing directory structure for user authentication and group lookup.

Access to existing user and group data

Rather than manually creating each BeyondTrust user account, an administrator can configure the B Series Appliance to query directories for existing users. Using the hierarchy and group settings already specified in these directories, the administrator can assign BeyondTrust account permissions to groups of users in addition to setting individual permissions.

Consistent authentication

Permitted users can log in to their BeyondTrust accounts with their system credentials. The use of existing credentials spares the administrator from having to assign an additional username and password to each user and saves the user from having to remember another set of credentials.

Dynamic user permissions

Because BeyondTrust can retrieve data straight from the directory, a change in a user's status will automatically be reflected in their BeyondTrust account settings. For instance, if someone is moved from the Internal Support group to the Customer Support group in the company directory, the B Series Appliance also will read that user as a member of the Customer Support group and accordingly will grant that user the privileges assigned to that group.

Immediate account deactivation

If a user is moved to a group that is not permitted to access your B Series Appliance, or if the user ceases employment and is deleted from the company directory, that user will no longer be able to log in to their BeyondTrust account. The account information will be present on the B Series Appliance for reporting purposes only.

Prerequisites

To define group policies based upon groups within a remote server, you must configure both the LDAP group provider and the Kerberos user provider. You then must enable group lookup from the user provider's configuration page. One group security provider can be used to authorize users from multiple servers, including LDAP, RADIUS, and Kerberos.

For assistance, log into the Customer Portal to chat with BeyondTrust Technical Support.

Configure Kerberos security provider

  1. Go to /login > Users & Security > Security Providers.
  2. Click Add. From the dropdown, select the type of server you want to configure.
    Alternatively, you can copy an existing provider configuration by clicking the ellipse on a listed provider and then selecting Copy.
  3. Enter the settings for this security provider configuration as detailed below:
    • Name: Create a unique name to help identify this provider.
    • Enabled: If checked, your BeyondTrust Appliance B Series can search this security provider when a user attempts to log in to the representative console or /login. If unchecked, this provider will not be searched.
    • Keep display name synchronized with remote system: These values determine which fields should be used as the user's private and public display names.
    • Strip realm from principal names: Select this option to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.
    • Authorization settings
    • User handling mode: Select which users can authenticate to your BeyondTrust Appliance B Series. Allow all users allows anyone who currently authenticates via your Key Distribution Center (KDC). Allow only user principals specified in the list allows only user principles explicitly designated. Allow only user principals that match the regex allows only users principals who match a Perl-compatible regular expression (PCRE).
    • Default group policy: Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the representative console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.
    • SPN handling mode
    • Allow only SPNs specified in the list: If unchecked, all configured service principal names (SPNs) for this security provider are allowed. If checked, select specific SPNs from a list of currently configured SPNs.
    • LDAP group lookup: If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group servers to use for group lookup.

      ℹ️

      Note

      • If a default policy is defined, then any allowed user who authenticates against this server will potentially have access at the level of this default policy. Therefore, it is recommended that you set the default to a policy with minimum privileges to prevent users from gaining permissions that you do not wish them to have.
      • If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy will always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.
  4. Click Save to save this security provider configuration.

Prioritize and manage security providers

Change order

Once you have set up your security providers, you can configure the order in which your B Series Appliance attempts to authenticate users.

On the Security Providers page, click Change Order. Then drag and drop the configured providers to set their priority. Clustered servers move as one unit and can be prioritized within the cluster.

After making changes to the order of priority, click the Save Order button.

Sync

Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day. Clicking this button forces a manual synchronization.

Disable

Disable this security provider connection. This is useful for scheduled maintenance, when you want a server to be offline but not deleted.

View log

View the status history for a security provider connection.

Troubleshoot the integration

Failed logins

If a user cannot log in to BeyondTrust using valid credentials, please check that at least one of the following sets of criteria is met.

  1. The user has been expressly added to an existing group policy.
  2. A default group policy has been set for the security provider configuration created to access the server against which the user is authenticating.
  3. The user is a member of a group that has been expressly added to an existing group policy, and both user authentication and group lookup are configured and linked.

Error 6ca and slow logins

  1. A 6ca error is a default response signifying that the B Series Appliance has not heard back from the DNS server. It may occur when attempting to log in to the representative console.
  2. If users are experiencing extremely slow logins or are receiving the 6ca error, verify that DNS is configured in your /appliance interface.

Troubleshooting individual providers

When configuring an authentication method tied to group lookup, it is important to configure user authentication first, then group lookup, and finally group policy memberships. When troubleshooting, you will want to work in reverse.

  1. Verify that the group policy is looking up valid data for a given provider and that you do not have any @@@ characters in the Policy Members field.
  2. If a group provider is configured, verify that its connection settings are valid and that its group Search Base DN is in the proper format.
  3. If you want to use group lookup, verify that the security provider is set to look up group memberships of authenticated users.
  4. To test the user provider, set a default policy and see if your users are able to log in.

Configure the network

BeyondTrust supports single sign-on functionality using the Kerberos authentication protocol, enabling users to authenticate to their BeyondTrust user accounts without having to enter credentials.

This document details methods for integrating the B Series Appliance in some typical Kerberos networking configurations, and is intended to be used by trained individuals with a working knowledge of Kerberos. It is assumed that you either have an existing implementation of Kerberos deployed or are in the process of deploying a Kerberos implementation.

ℹ️

Note

As there are many possible Kerberos configuration implementations, this document serves only as a guide for standard implementations.

Prerequisites

Prior to integrating the B Series Appliance with your Kerberos configuration, ensure the following requirements are met:

  • You must have a working Kerberos Key Distribution Center (KDC).
  • Clocks must be synchronized across all clients, the KDC, and the BeyondTrust Appliance B Series. Using a Network Time Protocol (NTP) is the recommended method of synchronization.
  • You must have a service principal created on the KDC for your BeyondTrust Appliance B Series.

Kerberos security provider settings

The most appropriate configuration for your Kerberos security provider depends on your overall authentication and network infrastructure, as well as where your B Series Appliance is located in your network. The examples in the following section demonstrate typical setups, while the chart below explains each of the Kerberos security provider options.

Keep display name synchronized with remote system If selected, a Kerberos-authenticated user's display name will be their User Principal Name. If deselected, display names can be edited locally on the BeyondTrust Appliance B Series.

User Handling Mode

Allow all users

 Allows anyone who currently authenticates via your KDC to log in to your BeyondTrust Appliance B Series.
Allow only user principals specified in the list Allows only specified user principals to log in to your BeyondTrust Appliance B Series.
Allow only user principals that match the regex Allows only user principals who match a Perl-compatible regular expression (PCRE) to log in to your BeyondTrust Appliance B Series.

SPN Handling Mode

Allow all SPNs

 Allow all configured Service Principal Names (SPNs) for this security provider.
Allow only SPNs specified in the list Allow only specific SPNs selected from a list of currently configured SPNs.
Default Policy Select a group policy as the default for users authenticating against this Kerberos security provider.

SPN use in BeyondTrust software

Browsers may use different methods to canonicalize the hostname for a site, including performing a reverse lookup of the IP of the hostname specified in the URL. The SPN canonicalization of this address may cause the browser to request an SPN based on an internal hostname rather than the B Series Appliance hostname.

For example, a BeyondTrust site built as hostname support.example.com may ultimately resolve to the hostname internal.example.com.

support.example.com → 10.0.0.1 → 1.0.0.10.in-addr.arpa → internal.example.com

The BeyondTrust software expects the SPN in the form of HTTP/ followed by the hostname configured in the BeyondTrust software during purchases or upgrade (HTTP/support.example.com). If the browser canonicalizes the hostname to an internal hostname and uses that hostname for the SPN (HTTP/internal.example.com), authentication will fail unless you have registered SPNs for both HTTP/internal.example.com and HTTP/support.example.com, and installed them on your BeyondTrust Appliance B Series.

If SPNs for multiple hostnames are imported, the BeyondTrust software will use the site hostname to which it was previously able to connect as a client. Therefore, if you are experiencing Kerberos authentication issues, it is advised to import a keytab for each hostname to which the site might canonicalize.

Network setup examples

Network Setup: Kerberos KDC

For this example:

  • The B Series Appliance may or may not be located behind a corporate firewall.

  • Representatives may or may not be on the same network as the B Series Appliance.

  • Representatives belong as members to a Kerberos realm.

  • Representatives can communicate with their KDC (typically over port 88 UDP).

Configuration

  1. On the Kerberos KDC, register an SPN for your B Series Appliance hostname and then export the keytab for this SPN from your KDC.

  2. Log in to your B Series Appliance's /login interface.

  3. Go to Users & Security > Kerberos Keytab.

  4. Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.

  5. Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.

  6. Create a unique name to help identify this provider.

  7. Be sure to check the Enabled box.

  8. Choose if you want to synchronize display names.

  9. Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.

  10. For User Handling Mode, select Allow all users.

  11. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs.

  12. You may also select a default group policy for users who authenticate against this Kerberos server.

  13. Click Save to save this security provider configuration.

Network Setup: Kerberos KDC and LDAP Server on the Same Network

For this example:

  • The B Series Appliance may or may not be located behind a corporate firewall.

  • Representatives may or may not be on the same network as the B Series Appliance.

  • Representatives belong as members to a Kerberos realm.

  • Representatives can communicate with their KDC (typically over port 88 UDP).

  • An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong.

  • The BeyondTrust Appliance B Series can directly communicate with the LDAP server.

Configuration

  1. On the Kerberos KDC, register an SPN for your B Series Appliance hostname and then export the keytab for this SPN from your KDC.

  2. Log in to your B Series Appliance's /login interface.

  3. Go to Users & Security > Security Providers. Click Add. From the dropdown, select LDAP.

  4. Create a unique name to help identify this provider.

  5. Be sure to check the Enabled box.

  6. Choose if you want to synchronize display names.

  7. For Lookup Groups, select either Only perform group lookups or Allow user authentication and perform group lookups.

  8. Continue to configure the settings for this LDAP server.

  9. For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store.

  10. Click Save to save this security provider configuration.

  11. Go to Users & Security > Kerberos Keytab.

  12. Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.

  13. Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.

  14. Create a unique name to help identify this provider.

  15. Be sure to check the Enabled box.

  16. Choose if you want to synchronize display names.

  17. Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.

  18. For User Handling Mode, select Allow all users.

  19. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs.

  20. In LDAP Group Lookup, select the server configured in this process and add it to the Group Providers In Use list.

  21. You may also select a default group policy for users who authenticate against this Kerberos server.

  22. Click Save to save this security provider configuration.

Network Setup: Kerberos KDC and LDAP Server on Separate Networks

For this example:

  • The B Series Appliance may or may not be located behind a corporate firewall.

  • Representatives may or may not be on the same network as the B Series Appliance.

  • Representatives belong as members to a Kerberos realm.

  • Representatives can communicate with their KDC (typically over port 88 UDP).

  • An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong.

  • The BeyondTrust Appliance B Series cannot directly communicate with the LDAP server.

Configuration

  1. On the Kerberos KDC, register an SPN for your B Series Appliance hostname and then export the keytab for this SPN from your KDC.

  2. Log in to your B Series Appliance's /login interface.

  3. Go to Users & Security > Security Providers. Click Add. From the dropdown, select LDAP.

  4. Create a unique name to help identify this provider.

  5. Be sure to check the Enabled box.

  6. Choose if you want to synchronize display names.

  7. For Lookup Groups, select either Only perform group lookups or Allow user authentication and perform group lookups.

  8. Continue to configure the settings for this LDAP server.

  9. Because the LDAP server does not have direct communication with the B Series Appliance, check the option Proxy from appliance through the Connection Agent.

  10. Create a password for the connection agent.

  11. Click Download Connection Agent to install the agent on a system behind your firewall. When installing the connection agent, provide the name and password you created for this LDAP server.

  12. For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store.

  13. Click Save to save this security provider configuration.

  14. Go to Users & Security > Kerberos Keytab.

  15. Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.

  16. Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.

  17. Create a unique name to help identify this provider.

  18. Be sure to check the Enabled box.

  19. Choose if you want to synchronize display names.

  20. Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.

  21. For User Handling Mode, select Allow all users.

  22. For SPN Handling Mode, leave the box unchecked in order to allow all SPNs.

  23. In LDAP Group Lookup, select the server configured in this process and add it to the Group Providers In Use list.

  24. You may also select a default group policy for users who authenticate against this Kerberos server.

  25. Click Save to save this security provider configuration.

Network setup: Kerberos KDC in multiple realms

Overview

For this example:

  • The B Series Appliance may or may not be located behind a corporate firewall.

  • Representatives may or may not be on the same network as the B Series Appliance.

  • Representatives may belong as members of multiple Kerberos realms existing in the corporate infrastructure (traditionally, a multi-domain hierarchy in Windows).

  • If a DMZ realm exists, the representatives' realms may have inbound trusts with that DMZ realm, allowing principals in the trusted realms to obtain tickets for services in the DMZ realm.

Configuration

  1. Register one or more of the SPNs according to the following rules:

    • If a DMZ Kerberos realm is involved, register a unique SPN within the DMZ realm.
    • If no DMZ Kerberos realm is involved and no trust exists between the two realms, register a unique SPN in each realm.
    • If no DMZ Kerberos realm is involved and trust exists between the two realms, register a unique SPN in a realm of your choosing.

  2. Export all registered SPNs.

  3. Log in to your B Series Appliance's /login interface.

  4. Go to Users & Security > Kerberos Keytab.

  5. Under Import Keytab, click Choose File, and then select the exported keytab to upload. You should now see this SPN under the list of Configured Principals.

  6. Repeat the previous step for each exported keytab.

  7. Go to Users & Security > Security Providers. Click Add. From the dropdown, select Kerberos.

  8. Create a unique name to help identify this provider.

  9. Be sure to check the Enabled box.

  10. Choose if you want to synchronize display names.

  11. Optionally, select to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.

  12. If using a DMZ realm or using the same SPN for multiple realms, you will want to match on user principle name to identify users from the first realm.

  13. If you registered multiple SPNs, choose the SPN that users from the first realm will use.

  14. You may also select a default group policy for users who authenticate against this Kerberos server.

  15. Click Save to save this security provider configuration.

  16. Repeat steps 7 through 15 for each realm from which users will authenticate, substituting the UPN or SPN rule for each realm as appropriate.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.