Network Setup Example 3: Kerberos KDC and LDAP Server, Separate Networks

For this example:

  • The Bomgar Appliance may or may not be located behind a corporate firewall.
  • Representatives may or may not be on the same network as the Bomgar Appliance.
  • Representatives belong as members to a Kerberos realm.
  • Representatives can communicate with their KDC (typically over port 88 UDP).
  • An LDAP server exists (which may or may not be the same machine as the KDC) that maps user principal names to groups to which the users may belong.
  • The Bomgar Appliance cannot directly communicate with the LDAP server.

 

Configuration

This example is an extension of Example 2 and features the addition of an LDAP connection agent for use when the Bomgar Appliance does not have direct communication with the LDAP server.

  1. On the Kerberos KDC, register an SPN for your Bomgar Appliance hostname and then export the keytab for this SPN from your KDC.
  1. Log into your Bomgar Appliance's /login interface.

Users & Security > Security Providers
Security Provider Configuration Page

  1. Go to Users & Security > Security Providers and click Configure New Provider.

 

Add LDAP Group Server

  1. Enter a name for this security provider configuration and set the following options:
    • Server Type: LDAP
    • Service Type: Groups
  1. Click Add Provider.

 

Configure LDAP Group Server

  1. Configure the settings for this LDAP group server.
  1. Because the LDAP server does not have direct communication with the Bomgar Appliance, uncheck the option The appliance can communicate directly with this server.
  2. Create a password for the connection agent.
  1. For the User Query, enter a query that can tie the User Principal Name as supplied in the user's Kerberos ticket to a single entry within your LDAP directory store.
  1. Click Add Provider to save this configuration.

 

Users & Security > Kerberos Keytab
Kerberos Keytab

  1. Go to Users & Security > Kerberos Keytab.
  2. Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals.

 

Users & Security > Security Providers
Security Provider Configuration Page

  1. Go to Users & Security > Security Providers and click Configure New Provider.

 

Add Kerberos Server Configuration

  1. Enter a name for this security provider configuration and set the following options:
    • Server Type: Kerberos
    • Service Type: Users
  1. Click Add Provider.

 

Configure Kerberos Server

  1. Choose if you want to synchronize display names and then select the following options:
    • User Handling Mode: Allow all users
    • SPN Handling Mode: Allow all SPNs
  1. Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username.
  2. You may also select a default group policy for users who authentication against this Kerberos server.
  1. Click Add Provider to save this configuration.

 

Edit Kerberos Server Configuration

  1. From the Security Providers page, click Edit for the newly created Kerberos provider and set If Authentication Succeeds to look up groups using the LDAP server configured earlier in this process.
  2. Click Save Changes.

 

Download LDAP Connection Agent

  1. From the Security Providers page, click Edit for the LDAP group server configuration, and then click Download LDAP Connection Agent to install the agent on a system behind your firewall. When installing the connection agent, provide the name and password you created for this LDAP server earlier in this process.

 

For more information about configuring an LDAP group security provider, see the LDAP configuration guide provided at www.bomgar.com/docs.