MP C3502 scan to folder using Kerberos authenication

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • it_guy
    Junior Member
    • Aug 2021
    • 6

    MP C3502 scan to folder using Kerberos authenication

    I am trying to get rid of NTLM authentication in the domain. I have been getting closer every day. Now I am on to scanners. The Brother ADS-2400N scanners have Kerberos authentication and were very easy to convert. I am now down to the Ricoh copiers that scan to folder. I logged into the copier website and went to Configuration, Device Settings, Kerberos Authentication and added my realm name, KDC server name, and domain name. I enabled the correction encryption algorithms. The address book entries for the server locations have the username and password in them as the different destinations have different usernames and passwords but are a part of the same domain. Is this all I need to do? Is there a way to see if the copier is using NTLM or Kerberos?
  • slimslob
    Retired
    Site Contributor
    25,000+ Posts
    • May 2013
    • 34781

    #2
    Re: MP C3502 scan to folder using Kerberos authenication

    To use Kerberos there may be settings in SP and User Tools that must be set from the control panel, not WIM. It should be covered in the Security manual.

    Comment

    • rthonpm
      Field Supervisor
      2,500+ Posts
      • Aug 2007
      • 2831

      #3
      Re: MP C3502 scan to folder using Kerberos authenication

      Originally posted by it_guy
      I am trying to get rid of NTLM authentication in the domain. I have been getting closer every day. Now I am on to scanners. The Brother ADS-2400N scanners have Kerberos authentication and were very easy to convert. I am now down to the Ricoh copiers that scan to folder. I logged into the copier website and went to Configuration, Device Settings, Kerberos Authentication and added my realm name, KDC server name, and domain name. I enabled the correction encryption algorithms. The address book entries for the server locations have the username and password in them as the different destinations have different usernames and passwords but are a part of the same domain. Is this all I need to do? Is there a way to see if the copier is using NTLM or Kerberos?
      You can setup NTLM auditing on the server, which will tell you whenever there's a connection to the system using it: NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7 - Microsoft Tech Community

      One other logistical question: for your different folders, if you're using user credentials to scan to them, you may want to consider using a service account just for your copiers and MFP's to authenticate to your servers. It ensures that users aren't locking out their accounts from old passwords, and also allows you to see what traffic is coming directly from your embedded systems.

      Overall, if you've set the KDC and the correct realm, the machine should be able to get a ticket from the domain controller and authenticate with Kerberos.

      Comment

      • it_guy
        Junior Member
        • Aug 2021
        • 6

        #4
        Re: MP C3502 scan to folder using Kerberos authenication

        Originally posted by rthonpm
        You can setup NTLM auditing on the server, which will tell you whenever there's a connection to the system using it: NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7 - Microsoft Tech Community

        One other logistical question: for your different folders, if you're using user credentials to scan to them, you may want to consider using a service account just for your copiers and MFP's to authenticate to your servers. It ensures that users aren't locking out their accounts from old passwords, and also allows you to see what traffic is coming directly from your embedded systems.

        Overall, if you've set the KDC and the correct realm, the machine should be able to get a ticket from the domain controller and authenticate with Kerberos.
        Thank you for the link. I have enabled NTLM auditing and found a few more things to fix. The Ricoh copier that I tested from showed up in the NTLM Operational list. Per the companies security manual, each copier gets its own user account to authenticate to the domain. The users do NOT enter their credentials into the copier at all. Everything is preprogrammed into the Address Book for Scan to Folder, including the usernames and passwords for each destination.

        I have tried uppercase and lowercase realm names. I even tried to setup LDAP Server but I can't get that to work at all. It always says Error Failed to Connect. I just tried setting up LDAP for fun as I don't think it is required just for Kerberos Authentication to a server. Am I wrong?

        Comment

        • slimslob
          Retired
          Site Contributor
          25,000+ Posts
          • May 2013
          • 34781

          #5
          Re: MP C3502 scan to folder using Kerberos authenication

          Originally posted by it_guy
          Thank you for the link. I have enabled NTLM auditing and found a few more things to fix. The Ricoh copier that I tested from showed up in the NTLM Operational list. Per the companies security manual, each copier gets its own user account to authenticate to the domain. The users do NOT enter their credentials into the copier at all. Everything is preprogrammed into the Address Book for Scan to Folder, including the usernames and passwords for each destination.

          I have tried uppercase and lowercase realm names. I even tried to setup LDAP Server but I can't get that to work at all. It always says Error Failed to Connect. I just tried setting up LDAP for fun as I don't think it is required just for Kerberos Authentication to a server. Am I wrong?
          Have you tried actually looking at the Ricoh manuals? I doubt it since you keep mentioning domain which would be for Windows server authentication but the Ricoh documentation clearly talks about Kerberos Realm. Go to Support and Downloads and in the Search for downloads box type in MP C3502 hit Enter and select the Manuals. Once in the manual itself search for Kerberos.

          Comment

          • rthonpm
            Field Supervisor
            2,500+ Posts
            • Aug 2007
            • 2831

            #6
            Re: MP C3502 scan to folder using Kerberos authenication

            LDAP shouldn't be necessary. If it's failing to connect, are you trying LDAP or LDAPS? For the latter, you may need to add a site certificate to allow the machine to connect over TLS.

            Is all of the firmware up to date for the machine as well?

            Sent from my BlackBerry using Tapatalk

            Comment

            • rthonpm
              Field Supervisor
              2,500+ Posts
              • Aug 2007
              • 2831

              #7
              Re: MP C3502 scan to folder using Kerberos authenication

              Originally posted by slimslob
              Have you tried actually looking at the Ricoh manuals? I doubt it since you keep mentioning domain which would be for Windows server authentication but the Ricoh documentation clearly talks about Kerberos Realm. Go to Support and Downloads and in the Search for downloads box type in MP C3502 hit Enter and select the Manuals. Once in the manual itself search for Kerberos.
              Active Directory is really just a mix of Kerberos on top of LDAP with a few other tricks added in. In any AD environment, domain controllers issue Kerberos tickets to objects for authentication. It's one of the reasons time has to be accurate within Active Directory: Kerberos is a partially time based protocol.

              Sent from my BlackBerry using Tapatalk

              Comment

              • slimslob
                Retired
                Site Contributor
                25,000+ Posts
                • May 2013
                • 34781

                #8
                Re: MP C3502 scan to folder using Kerberos authenication

                Originally posted by rthonpm
                Active Directory is really just a mix of Kerberos on top of LDAP with a few other tricks added in. In any AD environment, domain controllers issue Kerberos tickets to objects for authentication. It's one of the reasons time has to be accurate within Active Directory: Kerberos is a partially time based protocol.

                Sent from my BlackBerry using Tapatalk
                I still believe that he need to be following the instructions put out by Ricoh for using Kerberos authentication. In order to make it work, there are specific settings that have to be made in SP and User Tools.

                Comment

                • it_guy
                  Junior Member
                  • Aug 2021
                  • 6

                  #9
                  Re: MP C3502 scan to folder using Kerberos authenication

                  I have MP C3502, MP C3503, MP C3504, IMC 2500, and IMC 3500 units that I am trying to switch to Kerberos. I have the MP C3502/D111/D142 Service Manual which is 1,938 pages long. Kerberos is not mention anywhere in that manual. I have the MP C3503/D147 service manual, 2,358 pages. Kerberos is mention in the Appendix as a supported protocol. I have MP C3504/D239 Field Service Manual. Kerberos is a trademark is found twice and Kerberos is a supported protocol. I don't have the manuals for the IMC 2500 or 3500. I downloaded the D1437011A_en.zip for the MP C3502 manuals. I launch the index.html and search for Kerberos. The first 2 results for the LDAP server which I don't need. The third is Administrator Tools, which only points to Programming the Realm. Number 4 is a list of Setting Items, which is where I set the realm name, domain name, and KDC server name. Finally the last option is directions on how to program the realm. What other manuals should I be looking at?

                  The MP C3503 is the closest to me. Here is the firmware BEFORE I updated:
                  Module Name Version Part Number
                  System/Copy 2.21 D1425610E
                  Network Support 12.02 D1425563V
                  Font EXP 1.04 D1295770B
                  PCL Font 1.06 D1315586A
                  animation 2.00 D1425568B
                  Fax 07.00.00 D1425569J
                  RemoteFax 04.00.00 D1425564F
                  Printer 1.12 D1425572L
                  RPCS 3.12.24 D1425574C
                  PCL 1.13 D1445580K
                  Scanner 01.13 D1425570G
                  NetworkDocBox 3.01 D1425567G
                  Web Support 1.20 D1425565P
                  Web Uapl 1.05 D1425566F
                  PDF 1.07 D1445559H
                  Java VM v10 std 10.10.01 D1445594K
                  PS3 Font 1.12 D6205681
                  Data Erase Onb 1.01x D3775934
                  GWFCU3.5-4(WW) 11.00.00 D6435570P
                  PowerSaving Sys F.11 D1425560D
                  Engine 1.11:04 D1425116N
                  OpePanel 1.07 D1421491F
                  LANG0 1.05 D1421499B
                  LANG1 1.05 D1421499B
                  ADF 01.000:01 D5785300B
                  Last edited by it_guy; 08-25-2021, 04:29 PM. Reason: updates

                  Comment

                  • it_guy
                    Junior Member
                    • Aug 2021
                    • 6

                    #10
                    Re: MP C3502 scan to folder using Kerberos authenication

                    Here is the firmware AFTER the updates:
                    Module Name Version Part Number
                    System/Copy 1.39 D1475575S
                    Network Support 12.88.1 D1475569A
                    Fax 12.00.00 D1475557T
                    RemoteFax 05.00.00 D1475558J
                    Scanner 01.19 D1475560X
                    Web Support 1.16 D1475561V
                    Web Uapl 1.02 D1475562K
                    animation 7.00 D1495564D
                    NetworkDocBox 1.09 D1475568M
                    Printer 1.21 D1655704
                    RPCS 3.13.29 D1655703J
                    Font EXP 1.00 D1475581
                    PCL 1.25 D1655706T
                    PCL Font 1.13 D6415758A
                    PDF 1.09 D1655733J
                    PS3 Font 1.11 D6415763A
                    Java VM v11 std 11.28.03 D1475579R
                    Data Erase Onb 1.03m D3775913
                    GWFCU3.8-2(WW) 12.00.00 D1495559N
                    PowerSaving Sys F.20 D1475554E
                    Engine 1.43:08 D1475504G
                    OpePanel 1.14 D1471490N
                    LANG0 1.14 D1471490N
                    LANG1 1.14 D1471490N
                    ADF 01.290:03 D7795300H
                    Finisher 01.240:04 D6865301N
                    The scanner is still using NTLM. Although it looks like System/Copy downgraded?

                    Comment

                    • rthonpm
                      Field Supervisor
                      2,500+ Posts
                      • Aug 2007
                      • 2831

                      #11
                      Re: MP C3502 scan to folder using Kerberos authenication

                      Originally posted by it_guy
                      Here is the firmware AFTER the updates:
                      Module Name Version Part Number
                      System/Copy 1.39 D1475575S
                      Network Support 12.88.1 D1475569A
                      Fax 12.00.00 D1475557T
                      RemoteFax 05.00.00 D1475558J
                      Scanner 01.19 D1475560X
                      Web Support 1.16 D1475561V
                      Web Uapl 1.02 D1475562K
                      animation 7.00 D1495564D
                      NetworkDocBox 1.09 D1475568M
                      Printer 1.21 D1655704
                      RPCS 3.13.29 D1655703J
                      Font EXP 1.00 D1475581
                      PCL 1.25 D1655706T
                      PCL Font 1.13 D6415758A
                      PDF 1.09 D1655733J
                      PS3 Font 1.11 D6415763A
                      Java VM v11 std 11.28.03 D1475579R
                      Data Erase Onb 1.03m D3775913
                      GWFCU3.8-2(WW) 12.00.00 D1495559N
                      PowerSaving Sys F.20 D1475554E
                      Engine 1.43:08 D1475504G
                      OpePanel 1.14 D1471490N
                      LANG0 1.14 D1471490N
                      LANG1 1.14 D1471490N
                      ADF 01.290:03 D7795300H
                      Finisher 01.240:04 D6865301N
                      The scanner is still using NTLM. Although it looks like System/Copy downgraded?
                      This is a different machine than you originally posted versions for. The build numbers of the firmware are completely different.

                      Comment

                      • slimslob
                        Retired
                        Site Contributor
                        25,000+ Posts
                        • May 2013
                        • 34781

                        #12
                        Re: MP C3502 scan to folder using Kerberos authenication

                        Originally posted by rthonpm
                        This is a different machine than you originally posted versions for. The build numbers of the firmware are completely different.
                        I agree. The D147 is the MP C3503.

                        Comment

                        • it_guy
                          Junior Member
                          • Aug 2021
                          • 6

                          #13
                          Re: MP C3502 scan to folder using Kerberos authenication

                          I have MP C3502, MP C3503, MP C3504, IMC 2500, and IMC 3500 units that I am trying to switch to Kerberos. The MP C3503 is the one closest to me for testing right now.

                          Comment

                          • slimslob
                            Retired
                            Site Contributor
                            25,000+ Posts
                            • May 2013
                            • 34781

                            #14
                            Re: MP C3502 scan to folder using Kerberos authenication

                            Attached is a link to the Operator Manual for the C3502. The Operating Instructions - Security Guide covers setting up authentication. It should give you all the information you need to setup Kerberos.

                            OM-rfg051245.pdf - Google Drive

                            Comment

                            • it_guy
                              Junior Member
                              • Aug 2021
                              • 6

                              #15
                              Re: MP C3502 scan to folder using Kerberos authenication

                              Thank you for the document. It confirms that the realm name MUST be in capital letters, page 722, which it is.

                              I think we are getting the issue confused. I want to enable Kerberos authentication ONLY for scanning to folders. I don't need or want the users to login to the copier. I just need to authenticate to the server to save the file to correct destination via the Address Book. I tried enabling logging: Device Management, Configuration, Logs, and set Collect Job Logs to active with only the Scanning: options set to Collect. Everything else was set to Do not Collect. The logs don't tell me anything useful about WHY Kerberos is not being used. The access logs don't look like anything useful for this problem.

                              Comment

                              Working...