State of knowledge

August 2023

ProCall 8 Enterprise from 8.1
ProCall DataCenter from 2210.3

Functionality

Kerberos authentication has been implemented so that Kerberos is used by default to login to ProCall client for Windows into UCServer. No further action is required from the user or the administration.

SPN registration

The UCServer registers its Service Principal Name (SPN) for the "eucsrv" class of service at startup.

Erforderliche Berechtigungen

The account under which the UCServer runs must have the Validated Write servicePrincipalName permission.
For computer accounts (and services running under LocalSystem) this is the Windows default.

On exit, the UCServer removes its SPN registration again.

Authentication methods

By default, the UCServer offers Kerberos and NTLM to the ProCall client for Windows for domain authentication.

Negotiate is disabled by default and should currently not be used in negotiation due to problems, especially in connection with "VPN-less" connection.

The methods offered can be limited as follows:

  • For ProCall Enterprise:

    general.xml

    <UserManagerDisabledAuthMethods>
    	<Method>Negotiate</Method>
    </UserManagerDisabledAuthMethods>
    XML
  • For ProCall DataCenter:

    Konfigurationdatenbank

    Key: "general.usermanager.UserManagerDisabledAuthMethods"
    Wert: ["Negotiate"]
    CODE

If the <UserManagerDisabledAuthMethods> element or the "general.usermanager.UserManagerDisabledAuthMethods" key is not present, the default (=Negotiate disabled) applies.

If the element or key is present but without <Method> or value, all methods (incl. Negotiate) are enabled.

Other methods can be disabled as follows:

  • For ProCall Enterprise:

    general.xml

    <UserManagerDisabledAuthMethods>
    	<Method>Negotiate</Method>
    	<Method>Kerberos</Method>
    </UserManagerDisabledAuthMethods>
    XML
  • For ProCall DataCenter:

    Konfigurationdatenbank

    Key: "general.usermanager.UserManagerDisabledAuthMethods"
    Wert: ["Negotiate", "Kerberos"]
    CODE

In certain domain constellations, Kerberos may not be able to be used. We then recommend disabling the Kerberos authentication method.

If multiple authentication methods are offered, ProCall client for Windows uses the methods in the following priority:

  1. Negotiate
  2. Kerberos
  3. NTLM

Methods that are switched off are skipped. If the login fails with the first method used, the login is considered failed and no further method is attempted. An exception is the token query under Kerberos. If no token can be issued by the authentication server, a fallback to NTLM is attempted (if NTLM is not disabled).

If all authentication methods are disabled, the client still uses NTLM to prevent misconfigurations.

Review

SPN entries can be checked via command prompt as follows:

  • All SPNs registered for an account/server: "setspn -L <account or servername>".
  • All servers for which an SPN with the service class "eucsrv" is registered: "setspn -q eucsrv/*".

The use of Kerberos can be verified as follows:

  • The client log can be searched for "Using SSPI method". The output is exemplary as follows:

    Logausgabe

    03.2023 08:34:03:775;32;mainthread-6992;ENetCtiClientBase::LoginSSPI;Using SSPI method Kerberos with parameter "eucsrv/cti-server.estos.de"
    CODE