Kerberos authentication?

NerdyBarry · ‎03-22-2017

I saw a prior post that OneView does not support Kerberos for authentication but that it may make it into a future release.

Is Kerberos authentication on the roadmap?

ChrisLynchHPE · ‎03-22-2017

We have looked at Kerberos authentication support, but have not recieved a lot of customers asking for it. What would be the use case for supporting Kerberos? Is it SSO with Internet Explorer? Is Secure LDAP not enough of an authentication mechanism?

NerdyBarry · ‎03-23-2017

We are looking to leverage the Protected Users security group to harden high privilege accounts. Members of that group are unable to do the following:

Authenticate with NTLM authentication.
Use DES or RC4 encryption types in Kerberos pre-authentication.
Be delegated with unconstrained or constrained delegation.
Renew the Kerberos TGTs beyond the initial four-hour lifetime.

I don't know the exact mechanism employed when authenticating via LDAP over TLS, but I discovered that members of the Protected Users security group cannot authenticate to OneView.

I just checked the Event Log on the domain controller after attempting to log in and found this message in the related event: "NTLM authentication failed because the account was a member of the Protected User group."

More info on the Protected Users group can be found here: https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx