By default, Artica use the NTLM method to be connected to your Active Directory server and to provide silent authentication with browsers inside the Windows Domain.
The Kerberos authentication method use the modern Microsoft Operating systems ( starting with Windows Vista)
- Kerberos Authentication is fastest than NTLM because it use the native way to negociate tickets between browsers and the Active Directory server.
- It must be used when using an Active Directory 2012 server with full features and with an Active Directory turned to be native 2012.
- It must be used if you want to run Artica Proxy with a load-balancer.
- Kerberos have some issues when using Windows XP workstations.
You must pay attention of pre-requesites when enabling the Kerberos Authentication.
1) You must have a reverse pointer to the proxy in your DNS server
- Beware the Artica Proxy <netbiosname > has Windows Netbios limitations of 15 characters
- The Time between the Artica Proxy and the Active Directory must be the same.
- Be sure that the dns domain of the Artica proxy server is the same of your Active Directory.
- We suggest to use a dedicated account that have “Join” privileges inside your Active Directory server ( eg proxyadm )
- Artica System DNS must use the DNS server used by the Active Directory server
- You must use the proxy fully qualified name (eg proxy.domain.tld ) in browsers/WPAD setting.
- In the Active Directory connection settings, turn on the Authenticate from Kerberos option
- If you want to use “Only kerberos“, choose this option in the Authentication method dtop-down list
- If you want to use both NTLM and Kerberos, use the all methods option.
- After the join process, check if your Proxy have correctly received Kerberos tickets from your Active Directory server using the Cached Kerberos Tickets button.