[KB8184] Set up Active Directory Integration for ESET PROTECT On-Prem (Linux Component Install)

Issue

Prerequisites

In the instructions below, the following environment is used as an example:

  • ESET PROTECT On-Prem Linux Distribution: Ubuntu Server 20.04
  • ESET PROTECT On-Prem  Hostname: protect
  • ESET PROTECT On-Prem FQDN: protect.test.local
  • ESET PROTECT On-Prem IP Address: 10.123.1.2

  • Active Directory Domain: test.local
  • NetBIOS Domain: TEST
  • Domain Controller: dc.test.local (10.123.1.1)
  • ESET PROTECT On-Prem Active Directory (AD) User Account: eset.protect@test.local (eset.protect)

Solution

Configure Active Directory Integration for ESET PROTECT On-Prem

Verify before you proceed

Ensure that you change the default_realm to Active Directory Domain (must be capitalized) and the realm definition to Active Directory Domain (must be capitalized).

Ensure that you specify your Domain Controller as KDC (Key Distribution Center) under the realm definition for your Active Directory Domain. If you have multiple Domain Controllers, specify multiple KDCs.

Ensure that you map the Active Directory Domain (prefixed with ".") to the realm name (your Active Directory Domain but capitalized) under domain_realm.

  1. Configure Kerberos at /etc/krb5.conf:
[libdefaults]
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        forwardable = true
[realms]
TEST.LOCAL = {
        kdc = dc.test.local
}

[domain_realm]
        .test.local = TEST.LOCAL

  1. Configure DNS Resolution. systemd-resolved may cause issues with Kerberos.

    1. Run the following commands:

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
    1. Configure /etc/hosts. Add your ESET PROTECT On-Prem and your Domain Controllers to the host's file. Take note of the ordering of FQDN and aliases after the IP Address. net join will use the first defined alias for your host, such as SPN, when joining the system to the domain. All values are tab-separated.
127.0.0.1       localhost
10.123.1.2      esmc.test.local  protect
10.123.1.1      dc.test.local    dc

  1. Configure Time Synchronization. By default, the maximum tolerance for computer clock synchronization for Active Directory Kerberos participants is 5 minutes from a Kerberos KDC (in our case, the Domain Controller) to operate correctly.

If you use ESET PROTECT On-Prem on a Virtual Machine (VM), you may already be using a Hypervisor with some VM Agent that handles this. If not, systemd-timesyncd should suffice. You can also use ntpd.

The procedure below uses systemd-timesyncd:

    1. Configure /etc/systemd/timesyncd.conf. NTP Server addresses are separated by spaces. Specify each of your Domain Controllers.

[Time]
NTP=10.123.1.1

    1. Ensure that systemd-timesyncd is set to sync and force it to resync. You should see the log entry "Synchronized to time server 10.123.1.123" as per your configuration.

sudo timedatectl set-ntp on
sudo timedatectl status
sudo systemctl restart systemd-timesyncd.service
systemctl status systemd-timesyncd.service

  1. Setup Mapped Domain Security Groups under Access Rights in ESET PROTECT On-Prem.

    1. Configure Active Directory under the Advanced Settings section in Server Settings (ESET PROTECT On-Prem).

    2. Map Domain Security Groups and assign Permission Sets.

  2. Setup a Static Group Synchronization Server Task in ESET PROTECT On-Prem.

  3. Setup a User Synchronization Server Task in ESET PROTECT On-Prem.

Multiple domain environment (MSP users)

Follow the instructions below to define Multiple domains in Kerberos:

  1. Configure Kerberos at /etc/krb5.conf:
[libdefaults]
        default_realm = DOMAIN1.LOCAL
        ticket_lifetime = 24h
        forwardable = yes

[realms]
DOMAIN1.LOCAL = {
        kdc = dc.domain1.local
}

DOMAIN2.LOCAL = {
        kdc = dc.domain2.local
}

[domain_realm]
        .domain1.local = DOMAIN1.LOCAL
        .domain2.local = DOMAIN2.LOCAL

Verify that your Virtual Appliance is able to obtain the TGT by executing kinit. This should be done for each domain (kdestroy might be needed).

kinit username@domain1

klist

Troubleshooting

The following commands can be used to test Kerberos login and LDAP GSSAPI while showing debug information, useful for troubleshooting. The commands destroy existing Kerberos tickets for your user, obtain a Kerberos ticket for the specified AD user, list obtained Kerberos tickets, and then perform LDAP Search by authenticating with GSSAPI.

Check the system time with the relevant Domain Controller when troubleshooting Kerberos

When troubleshooting Kerberos, always check the system time with the relevant Domain Controller (KDC) to ensure they are within 5 minutes of each other (by default).

  • Replace eset.protect with the AD User Account that ESET PROTECT On-Prem will connect under.
  • Replace dc.test.local with your Domain Controller.
  • Replace DC=test,DC=local with the Distinguished Name (DN) of the Base OU in your Domain where you want to list all child Computer objects.
kdestroy
KRB5_TRACE=/dev/stdout kinit eset.protect
klist -f
KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -H dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'
This article applies to
Product
OS
Issue
Last Updated: Dec 11, 2024

Additional resources

User Guides

ESET Forum

YouTube videos

Support News Customer Advisories ESET Status Portal Contact ESET Technical Support

Existing customer?

Chat with ESET AI Advisor for support