Configure Kerberos Authentication
Configure Kerberos Authentication
By default, the SCEP server uses integrated Windows authentication. Integrated authentication consists of both NTLM and Kerberos authentication types. In some environments, NTLM will work for integrated authentication and users will be able to acquire a SCEP challenge without further configuration. In other environments, NTLM will not work, so only Kerberos will be supported. Further configuration is required to make Kerberos authentication work correctly. Even if NTLM is supported, Kerberos is generally preferred for best security practice.
Common scenarios in which NTLM will not work are multi-domain forests and authentication attempts between domains and servers that support only NTLM2 using clients attempting NTLM.
Configuring the environment to support Kerberos includes these topics:
- Configure browsers to support Integrated Windows Authentication (for testing purposes)
- Configure the service principal name (SPN) for the Keyfactor Command server
