If a user logs in at a printer by using Kerberos, then the LDD system uses the credentials to do the following:

• Manipulate network files.

• Interact with ECM systems.

Notes:

• Enable secure communication between printers and servers in LMC for any device group that uses a solution with Kerberos authentication. For more information, see Enabling secure communication between servers and printers in a device group.
• Make sure that the date and time on the printer, LDD server, and key distribution center (KDC) server are correct and synchronized.

Configuring Kerberos authentication on printers

Notes:

• The following procedure applies only to e-Task 2+ printers. If these steps do not apply to your printer, then see the documentation that came with your printer.
• The names and locations of the settings mentioned in the following procedure may vary depending on the firmware installed on your printer.

1. Obtain the printer IP address. Do either of the following:

   • Locate the IP address on the top of the printer home screen.

   • View the IP address in the TCP/IP section of the Network/Ports menu.

2. From the Embedded Web Server, click Settings > Security > Security Setup.

3. From the Advanced Security Setup section, click Kerberos 5.

4. Import or create a Kerberos configuration file.

   • To import a configuration file, do the following:

     Note: Importing a configuration file allows more control over Kerberos tickets.

     1. From the Import Kerberos File section, browse to the Kerberos configuration file.

     2. Click Submit.

     The following example represents a minimal configuration file:

     [libdefaults]
         default_realm = MY.REALM
         kdc_timesync = 1
         forwardable = true
     
     [realms]
         MY.REALM = {
             kdc = MY.KDC.ADDRESS
         }

     Note: When a configuration file is used, tickets must be marked forwardable by default. For more information, see the Kerberos documentation.

   • To create a configuration file, do the following:

     1. From the Simple Kerberos Setup section, in the KDC Address field, type the KDC address.

     2. In the KDC Port field, enter the port number that is used by the Kerberos server. You can set the value to 1–88.

     3. In the Realm field, type the realm that is used by the Kerberos server.

     4. Click Submit.

5. Add a security template. Do the following:

   1. From the Advanced Security Setup section, click Security Template.

   2. From the Manage Security Templates section, click Add a Security Template, and then type a security template name.

   3. In the Authentication Setup menu, select Kerberos Building Block.

   4. Click Save Template > Return to Security Setup.

6. Configure access controls for profiles.

   1. From the Advanced Security Setup section, click Access Controls, and then select a security template. Do either of the following:

      • To apply the security template to all profiles on the printer, in the Use Profiles menu, select the security template that you created.

      • To apply the security template to an individual profile, do the following:

        1. From LMC, determine the access control number of the profile.

           Note: Keep the Embedded Web Server open while accessing LMC.

           1. Click the Device Groups tab.

           2. From the Device Groups section, select the device group that contains the printer and the solution.

           3. From the Tasks section, select Profiles.

           4. From the main section, select a device class tab that corresponds to the device class of the printer.

           5. Find the number beside Access Control.

              Note: If 0 appears beside Access Control, then an access control number is not assigned to the profile. For more information, contact your Lexmark representative.

        2. From the Embedded Web Server, in the Access Controls page, select a security template for the application corresponding to the access control number of the profile.

   2. Click Submit.

   Depending on the authentication setup, the printer may require user authentication before accessing the home screen or when accessing an LDD profile from the printer.

Configuring LDD servers for Kerberos authentication

The LDD server that is requesting a Kerberos ticket must have the following components:

• KDC address

• Realm

If the KDC address and realm are determined from the ticket that is forwarded from the printer, then configuration is not necessary. A warning is included in the log indicating that the server is attempting to determine the KDC address and realm from a forwarded ticket.

To configure each LDD server for Kerberos authentication manually, do either of the following:

• Create a duplicate Kerberos configuration file for the server.

  We recommend specifying only the KDC address and realm for the server configuration. Name the configuration file krb5.ini, and then save it in the \Lexmark\Solutions\Security folder on each server where LDD is installed. You may need to create the Security folder.

  Note: For more information on reading the Kerberos configuration file from another location, see the Apache Tomcat documentation.

• Set the KDC address and realm from the script. For more information, see the Lexmark Document Distributor SDK Guide.