Configure GSSAPI Server and Client Authentication
If the server host computer and client users are members of the same Windows domain, you can use GSSAPI for mutual authentication. With this configuration, both the client and server authenticate using Windows domain credentials. No host key is required and the user needs no password to connect to the server.
Note: The following procedures enable both client and server authentication using Windows domain credentials. Configuring just client authentication requires fewer steps. If you don't need GSSAPI for server authentication, see Configure Client Authentication using Windows Credentials.
To configure Windows domain accounts
- Add the server computer and client computers to the Windows domain.
- Launch the Active Directory Users and Computers console and add the client users to the domain.
- Configure the user accounts to use DES encryption. (Account > Account options > Use Des encryption types for this account).
Note: This change is required by the Reflection Kerberos client, and is needed only for GSSAPI server authentication.
- (Optional) If you want to use delegation of authentication, configure user account to be trusted for delegation (Account > Account options > User is Trusted for delegation).
- (Optional) If you want to use delegation of authentication, configure the server computer properties to trust this computer for delegation (General > Trust computer for delegation).
To configure the Reflection for Secure IT server
- Start the server console, and then click Configuration.
- Go to Authentication > GSSAPI / Kerberos V5, and then select Allow or Require.
- Go to Encryption > Key Exchange and confirm that the following (default) key exchange protocols are selected: gss-group1-sha1 with Kerberos 5 and gss-gex-sha1 with Kerberos 5.
To configure the Reflection for Secure IT Windows Client
- Start Reflection for Secure IT Windows Client.
- Open the Reflection Secure Shell Settings dialog box (Connection > Connection Setup > Security).
- From the General tab, under Authentication, select GSSAPI/Kerberos.
- From the GSSAPI tab, select Reflection Kerberos and click Configure.
- Configure Reflection Kerberos to use Windows logon credentials.
This is the first time you've used Reflection Kerberos
Click Use Windows logon values in the Reflection Kerberos Initial Configuration dialog box.
The Realm and KDC host values are supplied automatically.
You have already configured Reflection Kerberos
Set your Windows domain as your default realm and configure it to use Windows logon credentials. (Configuration > Configure Realms > Properties > Use Windows logon credentials).
- Use the Reflection Kerberos Manager to remove DES3_HMAC_SHA1 from the list of requested KDC encryption types. To edit this list use Configuration > Configure Realms > Properties > Encryption >Configure Encryption Types.
- When you configure the user for your client connection, you may need to include both the domain and user name using the format domain\user. This is required if the server computer has a local account name that matches your domain account. For example, if the local computer has a "joe" account and you log on using a domain account for "joe", you need to connect from the client as:
Note: Depending on your operating system, you may need to modify your system security settings to allow access to a terminal shell to users who authenticate using domain credentials. For more information, see Command Shell Access in Windows.