/
Client IP restrictions

Client IP restrictions

Owned by August Heltne
Last updated: Sept 18, 2024 by Steinar Line
2 min read

Kerberos authentication can be limited to to specific users, specific IP address ranges and/or User-Agents.

By default, every client will receive a Kerberos authentication challenge (SPNEGO) if Kerberos is enabled in KSSO. If a given client does not support Kerberos or is not part of the domain, this can result in a bad user experience. The way clients handle Kerberos challenges is both application and platform-dependent. The most common issue is to have Windows desktop browsers that are not part of the AD domain, for example, an employee working from home or external consultants. When a Windows browser is unable to obtain a Kerberos ticket for any reason, it shows an NTLM fallback popup like the following:

To prevent this from happening, this browser must not receive a Kerberos challenge in the first place. This is where client restrictions come in.

The purpose of Kerberos client restriction is to improve user experience only. It is not a security measure.

Client IP restrictions

The screenshot below shows how this can be configured. The default is that every client will receive a Kerberos challenge. In the screenshot, only the client IP starting with 192.168.1.34 will receive a challenge:

image-20240904-130426.png

 

Related content

Kerberos
Kerberos
Kantega SSO Enterprise
Read with this
How Kerberos works
How Kerberos works
Kantega SSO Enterprise
More like this
IP Restrictions
IP Restrictions
Kantega SSO Enterprise
Read with this
User agent restrictions
User agent restrictions
Kantega SSO Enterprise
More like this
Secure windows authentication ​without passwords
Secure windows authentication ​without passwords
Kantega SSO Enterprise
More like this
Manage Kerberos access
Manage Kerberos access
Kantega SSO Enterprise
More like this