Configuring Embedded Kerberos Authentication configure
Configuring Embedded Kerberos Authentication For HP product models: LaserJet 4345mfp, LaserJet 9040mfp, LaserJet 9050mfp, LaserJet 9500mfp, and Digital Sender 9200C
Legal Notice © Copyright 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft®, Windows®, and Windows NT®, are U.S. registered trademarks of Microsoft Corporation. All other products mentioned herein might be trademarks of their respective companies. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.
Contents Overview........................................................................................... 1 Required tool..................................................................................... 1 Step 1: Discovering the LDAP server...................................................... 5 Method 1...................................................................................... 5 Method 2......................................................................................
Overview Kerberos is a network authentication protocol. It is designed to provide secure authentication for client/server applications by using secret keys delivered with session tickets. This document provides step-by-step instructions for configuring Kerberos. Required tool It is necessary to use Microsoft LDP to configure the MFP for embedded LDAP authentication. Microsoft LDP is a support tool that ships with the Windows Support Tools contained on the Windows OS media.
2 – configure 3. Double click the SUPTOOLS.MSI file. 4. Select Next at the Welcome to the Windows Support Tools Setup Wizard. 5. After reading the licensing agreement, select the I Agree radial button and click Next.
6. Enter your name and organization; then click Next. 7. Select Complete for the installation type; then click Next.
8. 4 – configure Select Install Now to begin the installation.
9. Click Finish to complete the installation. Step 1: Discovering the LDAP server There are two key methods to discover an available LDAP server on the network. Method 1 1. Open a command window by clicking on Start → Run and typing cmd.exe in the dialog box. Then press Enter or click OK. 2. To determine which Windows Active Directory logon server you are logged onto, type the following: echo %logonserver%. Then press Enter.
Method 2 You must first discover the name of your domain. 1. To determine the name of your domain, input nslookup “server result from echo %logonserver%” discovered in Method 1. • 2. The following command can then be used to provide a list of DNS servers. • 6 – configure The domain is placed behind the “tmws3a” server discovered in Method 1. In this example, technical.marketing.com. nslookup “name of your domain” (i.e. nslookup TECHNICAL.MARKETING.COM).
Step 2: Setting up LDP 1. Open LDP by clicking on Start → Run, and typing ldp.exe; then press Enter or click OK. 2. From the Ldp menu, select Connection → Connect. 3. In the Connect window, input the IP address or hostname of the LDAP server in the Server box; then input 389 or 3268 as the Port number. Click OK. • Port 389 is the standard LDAP port. However, it may be necessary to use port 3268 when communicating with a Windows Global Catalog Active Directory Server.
4. From the LDP menu, select Connection → Bind. 5. In the Bind window, input username, password, and domain name; then click OK. 6. On the LDP screen, find and copy the Base DN. • 8 – configure The Base DN is normally listed within “defaultNamingContext.” 7. From the LDP menu, select Browse → Search. 8. In the Search window, paste the Base DN into the Base Dn box. Input the LDP Filter into the Filter box.
• In the Search Options window, remove all entries in Attributes; then click OK. • Back in the Search window, click Run; then click Close.
9. On the LDP screen, locate the user DN from the returned results. Copy it for use in the Embedded Web Server (EWS). • The Search Prefix begins after the individual user CN. Hint Notice how the username is set up on the LDP screen. The username format is defined within the device user DN. This can be viewed in the LDP trace. The format is often in email address format, but can be defined in many different combinations. The example below is User1.
b. Enter the Kerberos Realm for the Kerberos Server Hostname. DNS finds the first available Kerberos Domain Controller. w c. 4. As an alternative, this can be a hostname or an IP address. The Kerberos Server Port should be auto filled as 88. Under the Accessing the LDAP Server section, a. Select Kerberos from the LDAP Server Bind Method drop-down box. b. Choose the radial button of the Credential method desired. w If choosing Use Public Credentials, enter a username and password.
5. Under the Searching the LDAP Database section, a. Paste the Search Prefix into the Search Root field. b. Input sAMAccountName into the “Match the name entered with the LDAP attribute of” field. c. Find the device user email address in the LDP trace. Copy the attribute defining the email address. w 12 – configure Paste the attribute into the “Retrieve the device user’s email address using attribute of” field. d. Find the device user “name using the attribute of” in the LDP trace.
Step 4: Configure the Authentication Manager 1. Click Authentication Manager on the left-side menu. 2. On the Authentication Manager screen, select Kerberos Authentication from the Authentication method drop-down list. 3. Click Apply. Step 5: Configure Addressing Settings 1. Click the Digital Sending tab. 2. Select Addressing from the right-side menu. 3. Select the “Allow device to directly access an LDAP Address Book” check box (screenshot on next page). 4.
5. 6. 14 – configure w Input the Kerberos Default Realm (Domain). Example: TECHNICAL.MARKETING.COM w Input the Kerberos Server Hostname. Example: 15.62.64.203 w Input the Kerberos Server Port. Example: 88. c. Input the LDAP Server. Example:15.98.10.51 d. Input the Port number. Example: 389 Under the Searching the Database section, a. Input the Search Prefix into the Search Root field. b. Select an option from the “Device user information retrieval method” dropdown list.
Step 6: Use the MFP control panel 1. At the MFP, touch any option on the main screen. The screen displays a request for authentication. Hint Remember the username is defined within the device user DN value in the LDP trace and is often your entire email address, including the @xx.xx. 2. Use the touch screen keypad to input the authentication. • Once input, touch OK, and the chosen option appears; for example, the Email screen appears.
Troubleshooting The following section covers three troubleshooting issues: Reverse DNS, Time Synchronization, and Kerberos Realm Syntax. Reverse DNS must be configured Kerberos authentication uses reverse DNS in the authentication process. Reverse DNS helps prevent “Man In The Middle” attacks, and adds an added level of security to the Kerberos process. Kerberos authentication fails and will not operate in a network environment that does not have reverse DNS enabled.
Kerberos Realm Syntax When specifying the Kerberos Realm, it is essential that the entry is capitalized. This entry must be entered into three separate sections of the EWS: Kerberos Authentication, Addressing Settings, and Network Settings.
18 – configure