Kerberos KDC and basic authentication
Using this method of authentication, users are automatically authenticated against a Kerberos Key Distribution Center (KDC), and do not need to enter authentication details when connecting their browser to Secure Web Gateway. If the user's browser cannot authenticate using Kerberos, Basic Authentication is tried, and the user is prompted to enter their user name and password.
Configure authentication
- Navigate to System > Proxy Settings > Authentication Settings. The Authentication Settings page is displayed.
- Move the mouse pointer over the User Authentication is Enabled or the User Authentication is Disabled panel, and click Click here to change these settings.
-
Select Kerberos Authentication and Basic Authentication using Kerberos Distribution Center and click Save.
When you have selected this authentication type, the Basic Realm Identifier, Kerberos Key Distribution Centers and Kerberos Key Tab File panels will be displayed in the Authentication Settings page.
- In the Basic Realm Identifier panel, click Click here to change these settings.
-
Type the name of the Basic Realm identifier to be used and click Save.
The realm appears in the authentication dialog that appears in the client's browser, enabling the user to determine why they are being asked to authenticate. It is cached by the browser, along with the user name and password for the duration of the session. The default Basic Realm identifier is 'Clearswift Secure Web Gateway'.
- In the Kerberos Key Distribution Centers panel, click New to add a KDC. The Add New KDC dialog is displayed.
-
Enter the fully qualified domain name of the distribution center that will validate a user's authentication details. You can also add a comment about this KDC. Click Add.
The new KDC is added to the list.
You can edit any of the KDCs in the list at any time using the steps in Edit authentication.
|
If you are using Kerberos authentication, Network Time Protocol (NTP) must be enabled. |
Edit authentication
-
In the Kerberos Key Distribution Centers panel, select the KDC that you want to change and click Edit. Only one KDC can be edited at a time.
The Edit KDC dialog is displayed.
- Change the Host or Notes for the KDC and click Update.
- Click the
or 
icons to move a KDC up or down in the list. The order of the KDCs dictates which KDC is tested first and should be ordered accordingly. If the first KDC does not work, the second in the list is tested, and so on.
Add a Kerberos key tab file
- In the Kerberos Key Tab File panel, click Click here to change these settings.
- Enter, or browse to, the location of the Kerberos key tab file to import into Secure Web Gateway, and click Save.
| Key tab files can vary, depending on the version you are using. For more information on key tab files, refer to your Windows KDC documentation. |
Delete authentication
-
In the Kerberos Key Distribution Centers panel, select the KDC that you want to delete and click Delete.
The Confirm Delete dialog is displayed.
- Click Yes to delete the KDC. It will be immediately removed from the KDC list.
Test authentication
- On the Authentication Settings page, click Test Authentication in the task panel. The Test Authentication dialog is displayed.
- Enter User Name and Password combination, then click Run Test.
The test is run on the KDCs in priority order, based on the ordering of the list. If the first KDC does not work, the second in the list is tested, and so on.
| Although Kerberos authentication supports user names or passwords that contain non-ASCII characters, the test mechanism does not. You cannot test authentication of user names or passwords containing extended characters. |
Enable Apache Access Log
If you want to run diagnostics on your authentication, you can enable Apache Access logging for more information.
- In the Apache Access Log is Enabled or the Apache Access Log is Disabled panel, click Click here to change these settings.
- To enable or disable the generation of the logs, select or clear the Enable Apache access logging check box.