HP Web Jetadmin Software Accessing the Kerberos Authentication Server, Log In Method, Device Functions, Authentication Manager, Kerberos Authentication, Kerberos realm (domain)

HP Jetdirect IPsec supports the Kerberos authentication method. The Kerberos authentication method supports the AES128-SHA1 and AES256-SHA1 encryption protocols. These encryption protocols incorporate an iteration count that increases the complexity of the encryption keys. The default iteration count in

HP Jetdirect is 4,096, which complies with current standards. The iteration count in HP Jetdirect and the iteration count on the Kerberos domain controller must match. To change the iteration count on the Kerberos domain controller, create the following Registry entry and provide the appropriate value. This Registry entry affects all of the Kerberos clients of the domain controller.

HKLM\SYSTEM\CurrentControlSet\Services\Kdc\IterationCount (DWORD)

The HP Web Jetadmin administrator can create an IPsec rule with Kerberos pre-authentication by using one of the following methods:

●Use HP Web Jetadmin to configure the settings for the IPsec rule, which includes the Kerberos server admin credentials and organization unit (OU) path. HP Web Jetadmin uses these settings to create an account on the Key Distribution Center (KDC) server.

●Log in to the KDC server and manually create an account. Then access the HP Embedded Web Server (EWS) on the device, and configure the settings for the IPsec rule.

The HP Web Jetadmin administrator must not configure the settings for an IPsec rule by using

HP Web Jetadmin and then later update those settings by using the device EWS, or vice versa. The following are examples of the conflicts that can occur:

●The HP Web Jetadmin administrator uses HP Web Jetadmin to create an IPsec rule that has an encryption type of DES. Then the HP Web Jetadmin administrator uses the device EWS to change the encryption type to AES-128. If the HP Web Jetadmin administrator then uses HP Web Jetadmin to perform a refresh and reapply the rule to the device, the IPsec policy fails because the encryption type for the Kerberos server account is still DES. To ensure that the encryption type is updated on the Kerberos server, the HP Web Jetadmin administrator must use HP Web Jetadmin to change the encryption type.

●The HP Web Jetadmin administrator uses HP Web Jetadmin to create an IPsec rule. Then the

HP Web Jetadmin administrator uses the device EWS to change the settings for the rule. When the HP Web Jetadmin administrator views the rule in HP Web Jetadmin, the changes that were made by using the EWS are not displayed. In this case, HP Web Jetadmin does not display an error message and the IPsec policy might not be applied correctly.

Kerberos Authentication

Use this feature to configure the device (multi-function peripheral, or digital sender) to authenticate users to a Kerberos Realm. When Kerberos authentication is selected as the Log In Method for one or more Device Functions on the Authentication Manager feature, the user at the device must enter valid credentials to gain access to those functions (username, password, and realm).

Authentication consists of two interdependent parts:

●The device verifies the user's credentials with the Key Distribution Center (KDC).

●After the device user has supplied valid credentials and has been authenticated, the device searches for the user's email address and name.

If either step fails, the user is denied access to the functions that have been configured to require Kerberos authentication.

Accessing the Kerberos Authentication Server

The Kerberos realm (domain) is the fully qualified domain name of the Kerberos realm (domain).