Client IP restrictions

Owned by August Heltne
Last updated: Sept 18, 2024 by Steinar Line
2 min read

Kerberos authentication can be limited to to specific users, specific IP address ranges and/or User-Agents.

By default, every client will receive a Kerberos authentication challenge (SPNEGO) if Kerberos is enabled in KSSO. If a given client does not support Kerberos or is not part of the domain, this can result in a bad user experience. The way clients handle Kerberos challenges is both application and platform-dependent. The most common issue is to have Windows desktop browsers that are not part of the AD domain, for example, an employee working from home or external consultants. When a Windows browser is unable to obtain a Kerberos ticket for any reason, it shows an NTLM fallback popup like the following:

To prevent this from happening, this browser must not receive a Kerberos challenge in the first place. This is where client restrictions come in.

The purpose of Kerberos client restriction is to improve user experience only. It is not a security measure.

Client IP restrictions

The screenshot below shows how this can be configured. The default is that every client will receive a Kerberos challenge. In the screenshot, only the client IP starting with 192.168.1.34 will receive a challenge:

image-20240904-130426.png