View Categories

Kerberos Authentication

2 min read

Table of Contents

Summary #

When using NTLM Authentication on SecureSchool, SecureSchool talks to the Windows Active Directory Domain Controller to validate the user and get the user’s information.  On very busy networks, a bottleneck can develop between SecureSchool and the domain controller.  This is because Windows domain controllers can only do a small number of NTLM authentication requests at a time (by default it is 1, though it can be changed up to 10 with a registry change).  So if a large number of users try to browse to the Internet all at once, there can be a delay while SecureSchool talks to the domain controller to validate the user.

Kerberos Authentication is a different way of validating users.  When a user logs on to a workstation, that workstation is issued a “ticket” for the user, which validates the user and their permissions.  When that user attempts to browse the Internet, the workstation sends the “ticket” to SecureSchool.  SecureSchool then simply validates that the ticket is valid and lets the user browse.  When using Kerberos, there’s no need for SecureSchool to take the extra step to talk to the domain controller.

Unlike NTLM Authentication, Kerberos Authentication requires your network be setup to allow SecureSchool to perform Kerberos Authentication correctly.

More Information #

There are a few things that need to be done to the domain and proxy settings to make Kerberos authentication work correctly.

  1. In the DNS zone for the domain, create an A record for SecureSchool. For example, if the domain is “MySchool.Internal”, create an A record “SecureSchool.MySchool.Internal”.
  2. If proxy settings are deployed using Active Directory Group Policies, make sure that the proxy server is specified with the full DNS name and not the IP address.  For example, most people use “192.168.1.1” as the proxy server address.  Instead, you should use “SecureSchool.MySchool.Internal”.
  3. If proxy settings are deployed using a custom wpad file other then the one located on SecureSchool, that file needs to be edited to make sure that the proxy server in the file uses the full DNS name and not the IP address.
  4. If proxy settings are deployed using the file on SecureSchool, that file is maintained by the appliance and all necessary changes will be done automatically.

Once the above steps are done, contact us at 877-225-0100 and we can switch the appliance from NTLM to Kerberos Authentication.

ISBossBox, LibraryDoor, SecureSchool
What are your Feelings

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

SOCIAL NETWORKS

CONTACT US

Phone: 1-877-225-0100 (toll-free) or 732-929-1485

Fax: 732-359-1522

Email: support@K12USA.com

Mail:

K12USA.com

24 Highland Bend

Island Heights, NJ 08732

JOIN OUR MAILING LIST

K12USA.com ©1999-2025