- Community Home
- >
- Software
- >
- HPE OneView
- >
- Kerberos authentication?
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-22-2017 04:03 PM
03-22-2017 04:03 PM
Kerberos authentication?
I saw a prior post that OneView does not support Kerberos for authentication but that it may make it into a future release.
Is Kerberos authentication on the roadmap?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-22-2017 08:33 PM
03-22-2017 08:33 PM
Re: Kerberos authentication?
We have looked at Kerberos authentication support, but have not recieved a lot of customers asking for it. What would be the use case for supporting Kerberos? Is it SSO with Internet Explorer? Is Secure LDAP not enough of an authentication mechanism?
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-23-2017 01:55 PM
03-23-2017 01:55 PM
Re: Kerberos authentication?
We are looking to leverage the Protected Users security group to harden high privilege accounts. Members of that group are unable to do the following:
Authenticate with NTLM authentication.
Use DES or RC4 encryption types in Kerberos pre-authentication.
Be delegated with unconstrained or constrained delegation.
Renew the Kerberos TGTs beyond the initial four-hour lifetime.
I don't know the exact mechanism employed when authenticating via LDAP over TLS, but I discovered that members of the Protected Users security group cannot authenticate to OneView.
I just checked the Event Log on the domain controller after attempting to log in and found this message in the related event: "NTLM authentication failed because the account was a member of the Protected User group."
More info on the Protected Users group can be found here: https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-31-2019 05:36 AM
01-31-2019 05:36 AM
Re: Kerberos authentication?
Hello Chris,
In large environments (both Synergy and AD), managing certificates for LDAPS for every DC in a domain is not the best experience.
You already probably know, but Domain Controllers in an AD will evolve across time, new DC will appear, some other will disappears, certificates may be refreshed, and every single operation will impact every OneView server configured with AD authentication because of certificates and DC configuration management in OneView.
LDAP would solve the issue but would decrease security level, Kerberos integration can adress those points.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-05-2019 08:17 PM - edited 02-05-2019 08:18 PM
02-05-2019 08:17 PM - edited 02-05-2019 08:18 PM
Re: Kerberos authentication?
Hi @OCadm
We don't have kerberos authentication on the roadmap yet.
LDAPs / certificates make use of the customer's PKI infrastructure.
Are you stating that PKI is less secure than Kerberos?
Regards
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-15-2019 06:27 AM
02-15-2019 06:27 AM
Re: Kerberos authentication?
Hello BhaskarV,
"Are you stating that PKI is less secure than Kerberos?": I've not written such a thing. I've written that LDAP (not LDAPS) would avoid the administration overhead of certificates stored in Oneview to manage LDAPS, but at the price of a lower security.
Kerkeros integration does not introduce such administration overhead, and keep a good level of security. But i note that there is not many requests from customers for this feature and this is a costly change in Oneview development workload, so this is still not in HPE OV roadmap.
Best Regards,
CL
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP