HP Web Jetadmin 10.3 - User Guide
HP Jetdirect IPsec supports the Kerberos authentication method. The Kerberos authentication method
supports the AES128-SHA1 and AES256-SHA1 encryption protocols. These encryption protocols incorporate
an iteration count that increases the complexity of the encryption keys. The default iteration count in
HP Jetdirect is 4,096, which complies with current standards. The iteration count in HP Jetdirect and the
iteration count on the Kerberos domain controller must match. To change the iteration count on the Kerberos
domain controller, create the following Registry entry and provide the appropriate value. This Registry entry
affects all of the Kerberos clients of the domain controller.
HKLM\SYSTEM\CurrentControlSet\Services\Kdc\IterationCount (DWORD)
The HP Web Jetadmin administrator can create an IPsec rule with Kerberos pre-authentication by using one
of the following methods:
●
Use HP Web Jetadmin to configure the settings for the IPsec rule, which includes the Kerberos server
admin credentials and organization unit (OU) path. HP Web Jetadmin uses these settings to create an
account on the Key Distribution Center (KDC) server.
●
Log in to the KDC server and manually create an account. Then access the HP Embedded Web Server
(EWS) on the device, and configure the settings for the IPsec rule.
The HP Web Jetadmin administrator must not configure the settings for an IPsec rule by using
HP Web Jetadmin and then later update those settings by using the device EWS, or vice versa. The following
are examples of the conflicts that can occur:
●
The HP Web Jetadmin administrator uses HP Web Jetadmin to create an IPsec rule that has an
encryption type of DES. Then the HP Web Jetadmin administrator uses the device EWS to change the
encryption type to AES-128. If the HP Web Jetadmin administrator then uses HP Web Jetadmin to
perform a refresh and reapply the rule to the device, the IPsec policy fails because the encryption type
for the Kerberos server account is still DES. To ensure that the encryption type is updated on the
Kerberos server, the HP Web Jetadmin administrator must use HP Web Jetadmin to change the
encryption type.
●
The HP Web Jetadmin administrator uses HP Web Jetadmin to create an IPsec rule. Then the
HP Web Jetadmin administrator uses the device EWS to change the settings for the rule. When the
HP Web Jetadmin administrator views the rule in HP Web Jetadmin, the changes that were made by
using the EWS are not displayed. In this case, HP Web Jetadmin does not display an error message and
the IPsec policy might not be applied correctly.
Kerberos Authentication
Use this feature to configure the device (multi-function peripheral, or digital sender) to authenticate users to
a Kerberos Realm. When Kerberos authentication is selected as the Log In Method for one or more Device
Functions on the Authentication Manager feature, the user at the device must enter valid credentials to gain
access to those functions (username, password, and realm).
Authentication consists of two interdependent parts:
●
The device verifies the user's credentials with the Key Distribution Center (KDC).
●
After the device user has supplied valid credentials and has been authenticated, the device searches for
the user's email address and name.
If either step fails, the user is denied access to the functions that have been configured to require Kerberos
authentication.
Accessing the Kerberos Authentication Server
The Kerberos realm (domain) is the fully qualified domain name of the Kerberos realm (domain).
ENWW Device Configuration Options for Security 363