Configure Kerberos PIV/CAC Authentication for Windows Targets

As an administrator, you can implement Kerberos authentication with PIV/CAC smart cards to log in to LDAP-imported Windows target devices. For Kerberos authentication, you configure connections to one or more Kerberos Key Distribution Center (KDC) servers. You then associate each applicable device group or device with a KDC.
capam32
HID_ConfigKDC
As an administrator, you can implement Kerberos authentication with PIV/CAC smart cards to log in to LDAP-imported Windows target devices. For Kerberos authentication, you configure connections to one or more Kerberos
 
Key Distribution Center (KDC) servers. You then associate each applicable device group or device with a KDC.
This topic describes:
 
 
2
 
 
Prerequisites for Using Kerberos PIV/CAC
Verify the following prerequisites:
  • The applicable client workstations have the approved PIV/CAC hardware and software. Up to two smart card readers can be used on each workstation.
  • Network Level Authentication (NLA) is enabled on the applicable Windows RDP target devices. For more information about NLA, see Configure Windows Target Device Options.
  • One or more Kerberos
     
    KDC servers are available
Configure Connections to Kerberos KDC Servers
Configure connections to one or more KDC servers.
 
Follow these steps:
 
  1. Navigate to 
    Configuration, 3rd
     
    Party
    KDC
    .
  2. Select 
    Add
     to add a KDC Server.
    The Add KDC Server Configuration windows appears.
  3. Enter the Kerberos KDC Server IP address and Port (typically 88).
  4. Select 
    OK.
     
  5. Repeat these steps to add other KDC servers.
Associate a Device Group or Device with a Kerberos KDC Server
Associate a device group or device with a Kerberos KDC server.
 
Follow these steps:
 
  1. Navigate to 
    Devices, Manage Devices
    , or 
    Manage Device Groups
    .
  2. Select 
    Add
     or 
    Update
     to create or edit a Device or Group.
  3. On the 
    KDC Server 
    tab, select the KDC Server from the drop-down list.
  4. Select 
    OK
     to save your changes.
If you specify a Kerberos KDC server at the device level, that device-level setting overrides any KDC server configuration for a device group. If a device does not have a KDC Server that is specified, only then is the KDC server for the device group used.
Log in to a Windows Target Device with a Smart Card
If you are a PIV/CAC smart card user, you can log in to a destination Windows system automatically.
 
Follow these steps
:
  1. Log in to the UI.
  2. Select 
    Access
     from the menu bar.
  3. On the Access page, select the RDP link for the desired device to launch a connection.
  4. Select 
    Smart
     
    Card
    .
  5. Complete the following steps:
    1. Select a credential from the 
      Choose a smart card credential (Kerberos authentication
       
      )
       drop-down list.
    2. If your environment supports mapping one smart card certificate to multiple accounts, select 
      Add Hint
       and enter a 
      Username Hint
       in the field that appears.
    3. Enter your smart card 
      PIN.
       
  6. Select 
    Login
     to access the target Windows device.
    If Kerberos is not being used, select
     Login Form
     to access the device.
  7. (Optional) To identify the authentication protocol, select the lock icon in the top toolbar of the RDP window. A pop-up window confirms that the identity of the remote computer was verified using Kerberos.
If your credentials are correct, you are logged in to the target device.