Configure Kerberos Authentication

By default, the Keyfactor Command Management Portal uses integrated Windows authentication. Integrated authentication consists of both NTLM and Kerberos authentication types. In some environments, NTLM will work for integrated authentication and users will be able to open the Keyfactor Command Management Portal without further configuration, though not all aspects of the portal support NTLM, including the dashboard and enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. In other environments, NTLM will not work at all for the portal, so only Kerberos will be supported. Further configuration is required to make Kerberos authentication work correctly. Even if NTLM is supported and you don't intend to use the portions of the portal that don't work with NTLM, Kerberos is generally preferred for best security practice.

Common scenarios in which NTLM will not work are multi-domain forests and authentication attempts between domains and servers that support only NTLMv2 using clients attempting NTLM.

Configuring the environment to support Kerberos includes these topics:

• Configure browsers to support Integrated Windows Authentication
• Configure the service principal name (SPN) for the Keyfactor Command server
• Configure Kerberos constrained delegation (optional)