Using Kerberos authentication

If a user logs on at a printer using Kerberos, the credentials can be used by the Lexmark Distributed Intelligent Capture system to manipulate files on the network and interact with ECM systems on behalf of the user.

Configuring Kerberos authentication on printers

Notes:

These steps may vary slightly depending on printer model. If these steps do not apply to your printer, then see the documentation that came with your printer.
The names and locations of some links differ depending on the firmware installed on your printer. Where multiple link names or locations are specified below, click the specified link that appears for your printer.

Type the printer IP address or host name in the address field of your Web browser to access the printer Embedded Web Server.
Note: If you do not know the IP address or host name of the printer, then you can:
- View the information on the printer control panel home screen, or in the TCP/IP section under the Networks/Ports menu.
- Print a network setup page or menu settings page and locate the information in the TCP/IP section.
Click Settings > Security > Security Setup.
Configure the connection to the Kerberos Domain Controller:
1. In the “Step 1: Configuring a Security Building Block” section, click Kerberos 5.
2. Select a configuration method:
  - To import a Kerberos configuration file, which allows more control over Kerberos tickets, use the Import Kerberos File section:
    1. Click Browse to find the krb5.conf file.
    2. Click Submit.
      Notes:
      - Click Delete File to remove the Kerberos configuration file from the printer.
      - Click View File to view the Kerberos configuration file for the printer.
    The following example represents a minimal configuration file:
```
[libdefaults]
    default_realm = MY.REALM
    kdc_timesync = 1
    forwardable = true

[realms]
    MY.REALM = {
        kdc = MY.KDC.ADDRESS
    }
```
    When a configuration file is used, tickets should be marked forwardable by default. Tickets must be forwardable in order to forward them to the Lexmark Distributed Intelligent Capture system.
    For more information about configuration files, see the Kerberos documentation.
  - To use a simple Kerberos setup, use the Simple Kerberos Setup section:
    1. In the KDC Address field, type the key distribution center (KDC) address.
    2. In the KDC Port field, type the number of the port (1–88) used by the Kerberos server. The default is 88.
    3. In the Realm field, type the realm used by the Kerberos server.
    4. Click Submit.
3. Click Test Setup to verify that the Kerberos configuration file for the selected device is functional.
4. Click Return to Edit security Setup.
Add a security template:
1. In the “Step 2: Set up a Security Template” section, click Security Template.
2. Click Add a Security Template.
3. Type a security template name.
4. Select the Kerberos_Building_Block authentication setup.
5. Click Save Template > Return to Security Setup.
Configure access controls for profiles:
1. In the “Step 3: Apply your Security Template to one or more Access Controls.” section, click Access Controls.
2. Apply the security template to either all profiles or a specific profile:
  - To apply the security template to all profiles on the printer, including eSF applications, select the security template you created beside Use Profiles.
  - To apply the security template to an individual profile:
    1. Determine the access control number of the profile:
      Note: Keep the printer Embedded Web Server open while accessing LMC.
      1. From the Device Groups tab in LMC, select the device group that contains the printer and the solution.
      2. Select the Profiles task.
      3. In the main window, select the tab that corresponds to the device class of the printer.
      4. Find the number beside Access Control.
        Note: If 0 appears beside Access Control, then no access control number has been assigned to the profile. For more information, contact the developer of the solution.
    2. From the Access Controls page in the printer Embedded Web Server, locate the setting between Solution 1 and Solution 10 that corresponds to the access control number assigned to the profile, and select the security template you created.
3. Click Submit.
Depending on the overall authentication setup on the printer, the user is required to provide authentication either before accessing the home screen or when accessing an Lexmark Distributed Intelligent Capture profile from the printer.

Configuring Lexmark Distributed Intelligent Capture servers for Kerberos authentication

When using Kerberos authentication, you may need to configure Kerberos on each Lexmark Distributed Intelligent Capture server in your system.

The Lexmark Distributed Intelligent Capture server requesting a ticket must have the KDC address and realm available in order to request a Kerberos ticket. Often, the KDC address and realm can be determined from the ticket forwarded from the printer. In this case, no configuration is necessary. A warning is included in the log indicating that the server is attempting to determine the KDC address and realm from a forwarded ticket.

To manually configure each Lexmark Distributed Intelligent Capture server for Kerberos authentication, do one of the following:

Create a Kerberos configuration file for the server. This file may be a duplicate of the file uploaded to configure Kerberos on the printer, but we recommend a minimal configuration specifying only the KDC address and realm. The configuration file must be named krb5.ini, and it should be placed in the folder \Lexmark\Solutions\Security where Lexmark Distributed Intelligent Capture is installed on each server. You may have to create the Security folder.
Note: If you need to read the Kerberos configuration file from another location, see the Apache Tomcat documentation for more information.
Set the KDC address and realm from the script.