Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FredrikV
Contributor

Transparent Kerberos Auth & Captive Portal at the same time

Hi!

Sorry if this isn't considered a general topic. I did not found a relevant topic for Identity Awareness.

We have a Meastro implementation with several VSs running Identity Awareness. Users have the ID-agent installed, which authenticates transparently through external PDPs with the help of Kerberos. Works fine.

However, we also have need for a manual authentication process for computers sharing "common accounts". The idea is when a user is logged in to Windows with such account and tries to reach resources on the Internet through a web browser, a captive portal appears where the user has to put in private AD credentials for internet access.

The only one problem seems to be that you either have to use Transparent Kerberos auth (which we already have along with agents) OR Browser Based auth for specific user groups. Is that a final call or has anyone dealt with a simular scenario before and succeeded?

And yes, I have read the Identity Awareness Admin guide for R81.10, hence my control question.

 

Thanks!

 

Best regards,

Fredrik

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Transparent Kerberos should be supported with Captive Portal users being able to log in.
I’m guessing what you’d like to be able to do is override what Transparent Kerberos says the identity is (namely, the “shared” user) with their own.
Don’t believe that’s currently possible.

I assume the shared user is the same across all these systems?
Does it work if you filter out these identities?
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

0 Kudos
FredrikV
Contributor

Thanks. Yes thats exactly what we are looking for. These shared accounts are used in certain healthcare situations where time is critical and the users don't have time to mess with personal passwords and account switching for accessing the OS. Instead applications have personal logins.

We are not using any Identity Collector, as that solution was not suitable for our needs, hence we came up with ID-agents, transparent Kerberos and dedicated PDP layers.

Any other suggestions what could work here?

0 Kudos
PhoneBoy
Admin
Admin

The only other thing I can think of to try is to change the priority of the Captive Portal in the Identity Conciliation process.
Mainly Captive Portal is not treated as "higher priority" than some other methods.
I don't know where Kerberos fits into this stack, but as the SK says, best to work with TAC on this.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Of course, if it turns out that "Transparent Kerberos" and actual Captive Portal have the same priority and you can't differentiate between them, then you might have an RFE on your hands.

The other option is to disable Transparent Kerberos in the browser.
I know that in Firefox this is disabled by default.
In Chrome, this can be centrally controlled, I believe: https://support.google.com/chrome/a/answer/10304441?hl=en

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events