Network Setup Example 4: Kerberos KDC, Multiple Realms

For this example:

  • The Bomgar Appliance may or may not be located behind a corporate firewall.
  • Representatives may or may not be on the same network as the Bomgar Appliance.
  • Representatives may belong as members of multiple Kerberos realms existing in the corporate infrastructure (traditionally, a multi-domain hierarchy in Windows).
  • If a DMZ realm exists, the representatives' realms may have inbound trusts with that DMZ realm, allowing principals in the trusted realms to obtain tickets for services in the DMZ realm.

 

Configuration

  1. Register one or more of the SPNs according to the following rules:
    • If a DMZ Kerberos realm is involved, register a unique SPN within the DMZ realm.
    • If no DMZ Kerberos realm is involved and no trust exists between the two realms, register a unique SPN in each realm.
    • If no DMZ Kerberos realm is involved and trust exists between the two realms, register a unique SPN in a realm of your choosing.
  2. Export all registered SPNs.

Users & Security > Kerberos Keytab
Kerberos Keytab

  1. Log into your Bomgar Appliance's /login interface.
  1. Go to Users & Security > Kerberos Keytab.
  2. Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals.
  1. Repeat the previous step for each exported keytab.

 

Users & Security > Security Providers
Security Provider Configuration Page

  1. Go to Users & Security > Security Providers and click Configure New Provider.

 

Add Kerberos Server Configuration

  1. Enter a name for this security provider configuration and set the following options:
    • Server Type: Kerberos
    • Service Type: Users
  1. Click Add Provider.

 

Configure Kerberos Server

  1. If using a DMZ realm or using the same SPN for multiple realms, you will wish to match on user principal name to identify users from the first realm.
  2. If you registered multiple SPNs, choose the SPN that users from the first realm will use.
  1. Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username.
  2. You may also select a default group policy for users who authentication against this Kerberos server.
  1. Click Add Provider to save this configuration.

 

  1. Repeat steps 7 through 14 for each realm from which users will be authenticating, substituting the UPN or SPN rule for each realm as appropriate.