How to setup Symantec Management Platform environment to use Kerberos authentication if NTLM is disabled

book

Article ID: 223575

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Scenario:

Our security team wants to disable NTLM authentication on our Active Directory domain. I can see that the Altiris Agent (Symantec Management Agent (SMA)) connectivity credentials account is using NTLM. How do I get the agent to use Kerberos?

Environment

ITMS 8.1 RU2 and later

Resolution

We've tested and fixed SMA to use Kerberos if it is configured correctly. SMA uses not "NTML" but "Negotiate" security provider in Windows and the provider itself selects whether to use Kerberos or NTLM. If Kerberos is configured when "Negotiate", the security provider will use it. The important option "authPersistNonNTLM" should be set to True; otherwise, there will be HTTP authentication errors. 

In the attached document are steps needed to be done to disable NTLM and make Kerberos communication works based on a default environment installation.

Note: The following steps (see attached "ITMS 8.5 RU2-How to setup environment to use Kerberos authentication.pdf") are provided "AS-IS" since this is outside of our regular Support or testing procedures.

Attachments

1631218304845__ITMS 8.5 RU2-How to setup environment to use Kerberos authentication.pdf get_app