Kerberos authentication for ProCall
August 2023
ProCall 8 Enterprise from 8.1
ProCall DataCenter from 2210.3
Functionality
Kerberos authentication has been implemented so that Kerberos is used by default to login to ProCall client for Windows into UCServer. No further action is required from the user or the administration.
SPN registration
The UCServer registers its Service Principal Name (SPN) for the "eucsrv" class of service at startup.
Erforderliche Berechtigungen
The account under which the UCServer runs must have the Validated Write servicePrincipalName permission.
For computer accounts (and services running under LocalSystem) this is the Windows default.
On exit, the UCServer removes its SPN registration again.
Authentication methods
By default, the UCServer offers Kerberos and NTLM to the ProCall client for Windows for domain authentication.
The methods offered can be limited as follows:
For ProCall Enterprise:
general.xml
<UserManagerDisabledAuthMethods> <Method>Negotiate</Method> </UserManagerDisabledAuthMethods>
XMLFor ProCall DataCenter:
Konfigurationdatenbank
Key: "general.usermanager.UserManagerDisabledAuthMethods" Wert: ["Negotiate"]
CODE
If the <UserManagerDisabledAuthMethods> element or the "general.usermanager.UserManagerDisabledAuthMethods" key is not present, the default (=Negotiate disabled) applies.
If the element or key is present but without <Method> or value, all methods (incl. Negotiate) are enabled.
Other methods can be disabled as follows:
For ProCall Enterprise:
general.xml
<UserManagerDisabledAuthMethods> <Method>Negotiate</Method> <Method>Kerberos</Method> </UserManagerDisabledAuthMethods>
XMLFor ProCall DataCenter:
Konfigurationdatenbank
Key: "general.usermanager.UserManagerDisabledAuthMethods" Wert: ["Negotiate", "Kerberos"]
CODE
In certain domain constellations, Kerberos may not be able to be used. We then recommend disabling the Kerberos authentication method.
If multiple authentication methods are offered, ProCall client for Windows uses the methods in the following priority:
- Negotiate
- Kerberos
- NTLM
Methods that are switched off are skipped. If the login fails with the first method used, the login is considered failed and no further method is attempted. An exception is the token query under Kerberos. If no token can be issued by the authentication server, a fallback to NTLM is attempted (if NTLM is not disabled).
If all authentication methods are disabled, the client still uses NTLM to prevent misconfigurations.
Review
SPN entries can be checked via command prompt as follows:
- All SPNs registered for an account/server: "setspn -L <account or servername>".
- All servers for which an SPN with the service class "eucsrv" is registered: "setspn -q eucsrv/*".
The use of Kerberos can be verified as follows:
The client log can be searched for "Using SSPI method". The output is exemplary as follows:
Logausgabe
03.2023 08:34:03:775;32;mainthread-6992;ENetCtiClientBase::LoginSSPI;Using SSPI method Kerberos with parameter "eucsrv/cti-server.estos.de"
CODE