Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Kerberos authentication can be limited to specific IP address ranges and/or User-Agents.
By default, every client will receive a Kerberos authentication challenge (SPNEGO) if Kerberos is enabled in KSSO. If a given client does not support Kerberos or is not part of the domain, this can result in a bad user experience. The way clients handle Kerberos challenges is both application and platform-dependent. The most common issue is to have Windows desktop browsers that are not part of the AD domain, for example, an employee working from home or external consultants. When a Windows browser is unable to obtain a Kerberos ticket for any reason, it shows an NTLM fallback popup like the following:
...
To prevent this from happening, this browser must not receive a Kerberos challenge in the first place. This is where client restrictions come in.
Info |
---|
The purpose of Kerberos client restriction is to improve user experience only. It is not a security measure. |
Client IP restrictions
The screenshot below shows how this can be configured. The default is that every client will receive a Kerberos challenge. In the screenshot, only the client IP starting with 192.168.1.34 will receive a challenge:
...