The following describes how to perform authentication with Kerberos. One Identity Safeguard for Privileged Sessions (SPS) supports both end-to-end Kerberos authentication, when the client authenticates on SPS gateway and on the target server using Kerberos, and also the half-sided Kerberos scenario when Kerberos is used only on the SPS gateway.
Before configuring Kerberos authentication on One Identity Safeguard for Privileged Sessions (SPS), make sure you have configured your Kerberos environment correctly and have retrieved the keytab file. For details, see Configuring your Kerberos environment.
To perform authentication with Kerberos
Navigate to SSH Control > Authentication Policies.
Create a new Authentication Policy.
Select the authentication methods to use on the SPS gateway and on the target server.
To use Kerberos authentication on the target server, you must use Kerberos authentication both on the SPS gateway and on the target server. Select Gateway authentication method > Kerberos and Relayed authentication methods > Kerberos.
To use Kerberos authentication only on the SPS gateway (that is, in the client-side connection), select Gateway authentication method > Kerberos. If required, you can select other gateway authentication methods in addition to Kerberos, and also authentication backends and related to the selected gateway authentication methods.
Select the authentication methods you want to use on the target server in the Relayed authentication methods field.
Navigate to SSH Control > Global Options > GSSAPI.
Browse for the Kerberos keytab file, and click Upload. The uploaded principals are displayed in Currently uploaded principals.
If a Connection Policy uses an SSH Authentication Policy with Kerberos authentication together with a Usermapping Policy, then SPS stores the user principal as the gateway user, and the target username as the server username in the session database. If you want to allow your users to use a username on the target server that is different from their principal, configure a Usermapping Policy for your SSH connections. For details, see "Configuring usermapping policies" in the Administration Guide.
(Optional) If more than one realm is deployed on your network, you have to specify the mapping from the server's DNS domain name to the name of its realm. To map hostnames onto Kerberos realms, click .
Navigate to SSH Control > Connections and configure the SSH connection as follows. For details on configuring connections in general, see Configuring connections.
Select Use fixed address or Inband destination selection as Target.
Select the Kerberos Authentication policy.