If a user logs in at a printer using Kerberos, then the LDD system uses the credentials to manipulate network files or interact with ECM systems.

Notes:

• Enable secure communication between printers and servers in the LMC for any device group that uses a solution with Kerberos authentication. For more information, see Enabling secure communication between servers and printers in a device group.
• Make sure that the date and time on the printer, LDD server, and KDC server are synchronized.

Configuring Kerberos authentication on printers

Notes:

• The following procedure applies only to e-Task 2+ printers. If these steps do not apply to your printer, then see the documentation for your printer.
• The names and locations of the settings mentioned in the following procedure may vary depending on the firmware installed on your printer.

1. Open a Web browser, and then type the printer IP address.

   Note: Locate the IP address from the printer home screen.

2. Click Settings > Security > Security Setup.

3. Under Advanced Security Setup, click Kerberos 5.

   Importing a Kerberos configuration file

   Importing a configuration file allows more control over Kerberos tickets.

   1. From the Import Kerberos File section, browse to the Kerberos configuration file.

   2. Click Submit to upload the file to the printer.

   The following example represents a minimal configuration file:

   [libdefaults]
       default_realm = MY.REALM
       kdc_timesync = 1
       forwardable = true
   
   [realms]
       MY.REALM = {
           kdc = MY.KDC.ADDRESS
       }

   Note: When a configuration file is used, tickets should be marked forwardable by default. Tickets must be forwardable in order to forward them to the LDD system. For more information about configuration files, see the Kerberos documentation.

   Creating a simple Kerberos configuration file

   1. From the Simple Kerberos Setup section, type the key distribution center (KDC) address in the KDC Address field.

   2. Enter the number of the port (1–88) used by the Kerberos server in the KDC Port field. The default is 88.

   3. Type the realm used by the Kerberos server in the Realm field.

   4. Click Submit.

4. Add a security template:

   1. Under Advanced Security Setup, click Security Template.

   2. Under Manage Security Templates, click Add a Security Template, and then type a security template name.

   3. Select the Kerberos_Building_Block authentication setup.

   4. Click Save Template > Return to Security Setup.

5. Configure access controls for profiles:

   1. Under Advanced Security Setup, click Access Controls.

   2. Apply the security template to all profiles or to a specific profile.

      • To apply the security template to all profiles on the printer, including eSF applications, select the security template that you created beside Use Profiles.

      • To apply the security template to an individual profile, do the following:

        1. Determine the access control number of the profile.

           Note: Keep the Embedded Web Server open while accessing LMC.

           1. From the Device Groups tab in LMC, select the device group that contains the printer and the solution.

           2. Select the Profiles task.

           3. In the main window, select the tab that corresponds to the device class of the printer.

           4. Find the number beside Access Control.

              Note: If 0 appears beside Access Control, then no access control number is assigned to the profile. For more information, contact your solution provider.

        2. From the Access Controls page in the Embedded Web Server, select a security template for the application corresponding to the access control number of the profile.

   3. Click Submit.

   Depending on the authentication setup, the printer may require user authentication before accessing the home screen or when accessing an LDD profile from the printer.

Configuring LDD servers for Kerberos authentication

When using Kerberos authentication, you may need to configure Kerberos on each LDD server in your system.

The LDD server requesting a ticket must have the KDC address and realm available in order to request a Kerberos ticket. Often, the KDC address and realm can be determined from the ticket forwarded from the printer. In this case, no configuration is necessary. A warning is included in the log indicating that the server is attempting to determine the KDC address and realm from a forwarded ticket.

To manually configure each LDD server for Kerberos authentication, do one of the following:

• Create a Kerberos configuration file for the server. This file may be a duplicate of the file uploaded to configure Kerberos on the printer, but we recommend a minimal configuration specifying only the KDC address and realm. The configuration file must be named krb5.ini, and it should be placed in the folder \Lexmark\Solutions\Security where LDD is installed on each LDD server. (You may have to create the Security folder.)

  Note: If you need to read the Kerberos configuration file from another location, see the Apache Tomcat documentation for more information.

• Set the KDC address and realm from the script. For more information, see the Lexmark Document Distributor SDK Guide.