Scheme for connecting KES devices to the Server involving Kerberos constrained delegation (KCD)
The scheme for connecting KES devices to the Administration Server involving Kerberos constrained delegation (KCD) provides for the following:
- Integration with a reverse proxy that supports KCD.
- Use of Kerberos Constrained Delegation (hereinafter referred to as KCD) for authentication of mobile devices.
- Integration with Public Key Infrastructure (hereinafter referred to as PKI) for applying user certificates.
When using this connection scheme, please note the following:
- The type of connection of KES devices to the reverse proxy must be "two-way SSL authentication", that is, a device must connect to the reverse proxy through its proprietary user certificate. To do this, you need to integrate the user certificate into the installation package of Kaspersky Endpoint Security for Android, which has been installed on the device. This KES package must be created by the Administration Server specifically for this device (user).
- You must specify the special (customized) certificate instead of the default server certificate for the mobile protocol:
- In the Administration Server properties window, in the Settings section, select the Open port for mobile devices check box and select Add certificate in the drop-down list.
- In the window that opens, specify the same certificate that was set on the reverse proxy when the point of access to the mobile protocol was published on the Administration Server.
- User certificates for KES devices must be issued by the Certificate Authority (CA) of the domain. Keep in mind that if the domain includes multiple root CAs, user certificates must be issued by the CA, which has been set in the publication on the reverse proxy.
You can make sure the user certificate is in compliance with the above-described requirement, using one of the following methods:
- Specify the special user certificate in the New package wizard and in the Certificate installation wizard.
- Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
- In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
- In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
- In the Integration with PKI section, configure integration with the Public Key Infrastructure.
- In the Issuance of mobile certificates section, specify the source of certificates.
Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:
- Point of access to the mobile protocol on the Administration Server is set up on port 13292.
- The name of the device with the reverse proxy is firewall.mydom.local.
- The name of the device with Administration Server is ksc.mydom.local.
- Name of the external publishing of the point of access to the mobile protocol is kes4mob.mydom.global.
Domain account for Administration Server
You must create a domain account (for example, KSCMobileSrvcUsr) under which the Administration Server service will run. You can specify an account for the Administration Server service when installing the Administration Server or through the klsrvswch utility. The klsrvswch utility is located in the installation folder of Administration Server. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
A domain account must be specified by the following reasons:
- The feature for management of KES devices is an integral part of Administration Server.
- To ensure a proper functioning of Kerberos Constrained Delegation (KCD), the receive side (i.e., the Administration Server) must run under a domain account.
Service Principal Name for http/kes4mob.mydom.local
In the domain, under the KSCMobileSrvcUsr account, add an SPN for publishing the mobile protocol service on port 13292 of the device with Administration Server. For the kes4mob.mydom.local device with Administration Server, this will appear as follows:
setspn -a http/kes4mob.mydom.local:13292 mydom\KSCMobileSrvcUsr
Configuring the domain properties of the device with the reverse proxy (firewall.mydom.local)
To delegate traffic, you must trust the device with the reverse proxy (firewall.mydom.local) to the service defined by the SPN (http/kes4mob.mydom.local:13292).
To trust the device with the reverse proxy to the service defined by the SPN (http/kes4mob.mydom.local:13292), the administrator must perform the following actions:
- In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with the reverse proxy installed (firewall.mydom.local).
- In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
- In the Services to which this account can present delegated credentials list, add the SPN http/kes4mob.mydom.local:13292.
Special (customized) certificate for the publishing (kes4mob.mydom.global)
To publish the mobile protocol of Administration Server, you must issue a special (customized) certificate for the FQDN kes4mob.mydom.global and specify it instead of the default server certificate in the settings of the mobile protocol of Administration Server in Administration Console. To do this, in the properties window of the Administration Server, in the Settings section select the Open port for mobile devices check box and then select Add certificate in the drop-down list.
Please note that the server certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).
Configuring publication on the reverse proxy
On the reverse proxy, for traffic that goes from the mobile device side to port 13292 of kes4mob.mydom.global, you have to configure KCD on the SPN (http/kes4mob.mydom.local:13292), using the server certificate issued for the FQND kes4mob.mydom.global. Please note that publishing and the published access point (port 13292 of the Administration Server) must share the same server certificate.