Network Setup Example 4: Kerberos KDC, Multiple Realms
For this example:
- The Bomgar Appliance may or may not be located behind a corporate firewall.
- Representatives may or may not be on the same network as the Bomgar Appliance.
- Representatives may belong as members of multiple Kerberos realms existing in the corporate infrastructure (traditionally, a multi-domain hierarchy in Windows).
- If a DMZ realm exists, the representatives' realms may have inbound trusts with that DMZ realm, allowing principals in the trusted realms to obtain tickets for services in the DMZ realm.
- Register one or more of the SPNs according to the following rules:
- If a DMZ Kerberos realm is involved, register a unique SPN within the DMZ realm.
- If no DMZ Kerberos realm is involved and no trust exists between the two realms, register a unique SPN in each realm.
- If no DMZ Kerberos realm is involved and trust exists between the two realms, register a unique SPN in a realm of your choosing.
- Export all registered SPNs.
- Log into your Bomgar Appliance's /login interface.
- Go to Users & Security > Kerberos Keytab.
- Under Import Keytab, browse to the exported keytab and then click Upload. You should now see this SPN under the list of Configured Principals.
- Repeat the previous step for each exported keytab.
- Go to Users & Security > Security Providers and click Configure New Provider.
- Enter a name for this security provider configuration and set the following options:
- Server Type: Kerberos
- Service Type: Users
- Click Add Provider.
- If using a DMZ realm or using the same SPN for multiple realms, you will wish to match on user principal name to identify users from the first realm.
- If you registered multiple SPNs, choose the SPN that users from the first realm will use.
- Optionally, select to remove the REALM portion from the User Principal Name when constructing the Bomgar username.
- You may also select a default group policy for users who authentication against this Kerberos server.
- Click Add Provider to save this configuration.
- Repeat steps 7 through 14 for each realm from which users will be authenticating, substituting the UPN or SPN rule for each realm as appropriate.