In environments using Active Directory as an identity provider, the Keyfactor Command Management Portal uses integrated Windows authentication by default. Integrated authentication consists of both NTLM and Kerberos authentication types. In some environments, NTLM will work for integrated authentication and users will be able to open the Keyfactor Command Management Portal without further configuration, though not all aspects of the portal support NTLM, including the dashboard and enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. In other environments, NTLM will not work at all for the Management Portal, so only Kerberos will be supported. Further configuration is required to make Kerberos authentication work correctly. Even if NTLM is supported and you don't intend to use the portions of the Management Portal that don't work with NTLM, Kerberos is generally preferred for best security practice with Active Directory.
Common scenarios in which NTLM will not work are multi-domain forests and authentication attempts between domains and servers that support only NTLMv2 using clients attempting NTLM.
Configuring the environment to support Kerberos includes these topics:
- Configure browsers to support Integrated Windows Authentication (see Configure Browsers for Integrated Windows Authentication)
- Configure the service principal name (SPN) for the Keyfactor Command server (see Configure the Service Principal Name for the Keyfactor Command Server)
- Configure Kerberos constrained delegation (see Configure Kerberos Constrained Delegation (Optional))