All Barracuda Web Filters, firmware version 4.2 or above. All networks running Windows 2000 and above with domain controllers in native mode.
Implementing Kerberos-based authentication within your network will allow the Barracuda Web Filter to associate outgoing web requests with Active Directory users, log user activity, and apply user-specific or group-specific policies to outgoing connections without requiring users to log into the Barracuda Web Filter. Like NTLM, it is a forward proxy authentication scheme that provides per-session based authentication and policy control.
I. Preparing your Network and Barracuda Web Filter
In order to support Kerberos authentication, your Barracuda Web Filter must be deployed as a forward proxy. For more information on deploying your Barracuda Web Filter as a forward proxy, please refer to Solution #00002367. If you are going to be using Hybrid authentication (LDAP + Kerberos), please see the Additional Notes section below.
If you are migrating your authentication service on a Barracuda Web Filter that is currently deployed, please be aware of the following configuration prerequisites:
- Have the appropriate DNS server entry in the Barracuda Web Filter.
- No other authentication services (LDAP, NTLM) configured unless implementing Hybrid Authentication Mode. See the Additional Notes section below.
Implementing Kerberos Authentication will restrict some configuration options. The restrictions are as follows:
- No login override of blocked pages: When a policy on the Barracuda Web Filter blocks Internet access for a user, that user will not be offered login fields at the bottom of the block message, even if Allow login override of blocked pages is enabled on Block/Accept > Configuration page.
- No logout option: Users cannot log out when proceeding to a blocked page in order to surf anonymously. More precisely, when a policy on the Barracuda Web Filter blocks Internet access for user, that user will not be offered a logout option at the bottom of the block message, even if the Offer Logout option on the Block/Accept > Configuration page is enabled.
- Users are not displayed in the User/Groups > Account View page when authenticated via Kerberos.
Once you have prepared your Web Filter, you will need to verify that your network meets the following prerequisites:
- DNS servers must be able to resolve IP addresses in both forward and reverse.
- All work stations must be configured to use the correct DNS servers.
- The network must be time synchronized within a five minute margin of error.
- All users are using either Internet Explorer 7 (or later) or Firefox 3 (or later).
- All users must have domain logon credentials generally speaking; however non-domain machines can use Kerberos authentication provided that Kerberos is configured correctly on said machines.
II. Configuring Kerberos Authentication
If you are not using the Advanced Options under the Kerberos configuration tab, follow these steps to create your Kerberos service on the Barracuda Web Filter:
- Set your Default Domain and Default Hostname on the Basic > IP Configuration page. On your DNS server(s), add an entry (both forward and reverse mappings) for your Barracuda Web Filter.
- On the Kerberos configuration tab on Users/Groups > Authentication, enter the Realm, or Windows administrative domain name.
- Enter the FQDN of the Key Distribution Center server in the KDC field. This is typically the FQDN of your domain controller.
- Enter the Username and Password of an account that has administrative privileges on your Active Directory server.
- Click the Add button to create the new Kerberos Service. Once you do this, the service should appear as type Kerberos in the Existing Authentication Services table below.
- Ensure that the Barracuda Web Filter’s FQDN (not the IP address) and port 3128 are configured as an HTTP proxy on all users’ browsers.
Additionally, there is an Advanced Options section you can access by clicking the Advanced Options link. Use the Advanced Options link on the page if:
- You want to use a different keytab file than the one that would automatically be generated by the Barracuda Web Filter when you click the Add button. This enabled you to control which encryption type is used or which user to map to.
- If the NetBIOS domain name of your Windows domain is different than the leftmost label in the DNS domain name.
The below steps cover the creation of your own keytab file. Follow steps 1-3 above and then BEFORE clicking the Add button do the following:
- On your Active Directory server, create a new user, for example “wfuser” – enter the Username and Password in their respective fields for the Kerberos service configuration on the Barracuda Web Filter. This username must have administrative privileges on your Active Directory server.
- Create the keytab file by calling ktpass.exe from the command prompt:
Windows 2003 SP2 and later use:
ktpass -princ HTTP/mywebfilter.mydomain.com@MYDOMAIN.COM -mapuser wfuser@MYDOMAIN.COM -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL -pass ******** -out wf.keytab
Windows 2003 SP1 and earlier use:
ktpass -princ HTTP/mywebfilter.mydomain.com@MYDOMAIN.COM -mapuser wfuser@MYDOMAIN.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass ******** -out wf.keytab
- Using the Upload keytab field and Browse button, upload the keytab file wf.keytab that you just created.
- Note: If you change the password of the mapped user (wfuser in our example), you must generate a new keytab for that user and upload it by editing the existing Kerberos entry.
Hybrid Authentication Mode is used when a combination of either LDAP and NTLM or LDAP and Kerberos is required. This enables you to deploy the Barracuda Web Filter both in inline mode for one group of users and in forward proxy mode for another group of users. This is useful if you want to apply different browsing policies to two different user groups.
For example, if you configure LDAP with Single Sign-On for one group of users and Kerberos authentication for another group of users, each group will receive a pop-up window indicating access denied to blocked sites, but the LDAP group will be able to bypass the block page by logging in with their LDAP credentials. The Kerberos group will not be able to bypass the block page.
When Hybrid Mode is enabled, you can use EITHER Kerberos or NTLM authentication along with LDAP, but not both. Once you enable Hybrid Mode, configure LDAP and either NTLM or Kerberos authentication services as usual.
When configured in this manner, the default proxy server port is 3128.
If you are seeing a page that says “Cache Read Access Denied”, it is possible that your domain controller has old Kerberos tickets cached. If that happens, you can purge the tickets by doing the following:
-Open up the command prompt (CMD) on your domain controller
-Enter the following commands in this order
This will flush recent DNS records and purge any existing Kerberos tickets.
**for use of terminal services in some manner that would require the need of IP filters set on the DC agent. I am also unsure as to the need of a special format of these IPs entered , ie.. single IPs only or use of CIDR/ mask or only something like 172.16. and not 172.16..*
Link to This Page: