I am trying to get rid of NTLM authentication in the domain. I have been getting closer every day. Now I am on to scanners. The Brother ADS-2400N scanners have Kerberos authentication and were very easy to convert. I am now down to the Ricoh copiers that scan to folder. I logged into the copier website and went to Configuration, Device Settings, Kerberos Authentication and added my realm name, KDC server name, and domain name. I enabled the correction encryption algorithms. The address book entries for the server locations have the username and password in them as the different destinations have different usernames and passwords but are a part of the same domain. Is this all I need to do? Is there a way to see if the copier is using NTLM or Kerberos?
MP C3502 scan to folder using Kerberos authenication
Collapse
X
-
Re: MP C3502 scan to folder using Kerberos authenication
I am trying to get rid of NTLM authentication in the domain. I have been getting closer every day. Now I am on to scanners. The Brother ADS-2400N scanners have Kerberos authentication and were very easy to convert. I am now down to the Ricoh copiers that scan to folder. I logged into the copier website and went to Configuration, Device Settings, Kerberos Authentication and added my realm name, KDC server name, and domain name. I enabled the correction encryption algorithms. The address book entries for the server locations have the username and password in them as the different destinations have different usernames and passwords but are a part of the same domain. Is this all I need to do? Is there a way to see if the copier is using NTLM or Kerberos?
One other logistical question: for your different folders, if you're using user credentials to scan to them, you may want to consider using a service account just for your copiers and MFP's to authenticate to your servers. It ensures that users aren't locking out their accounts from old passwords, and also allows you to see what traffic is coming directly from your embedded systems.
Overall, if you've set the KDC and the correct realm, the machine should be able to get a ticket from the domain controller and authenticate with Kerberos.Comment
-
Re: MP C3502 scan to folder using Kerberos authenication
You can setup NTLM auditing on the server, which will tell you whenever there's a connection to the system using it: NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7 - Microsoft Tech Community
One other logistical question: for your different folders, if you're using user credentials to scan to them, you may want to consider using a service account just for your copiers and MFP's to authenticate to your servers. It ensures that users aren't locking out their accounts from old passwords, and also allows you to see what traffic is coming directly from your embedded systems.
Overall, if you've set the KDC and the correct realm, the machine should be able to get a ticket from the domain controller and authenticate with Kerberos.
I have tried uppercase and lowercase realm names. I even tried to setup LDAP Server but I can't get that to work at all. It always says Error Failed to Connect. I just tried setting up LDAP for fun as I don't think it is required just for Kerberos Authentication to a server. Am I wrong?Comment
-
Re: MP C3502 scan to folder using Kerberos authenication
Thank you for the link. I have enabled NTLM auditing and found a few more things to fix. The Ricoh copier that I tested from showed up in the NTLM Operational list. Per the companies security manual, each copier gets its own user account to authenticate to the domain. The users do NOT enter their credentials into the copier at all. Everything is preprogrammed into the Address Book for Scan to Folder, including the usernames and passwords for each destination.
I have tried uppercase and lowercase realm names. I even tried to setup LDAP Server but I can't get that to work at all. It always says Error Failed to Connect. I just tried setting up LDAP for fun as I don't think it is required just for Kerberos Authentication to a server. Am I wrong?Comment
-
Re: MP C3502 scan to folder using Kerberos authenication
LDAP shouldn't be necessary. If it's failing to connect, are you trying LDAP or LDAPS? For the latter, you may need to add a site certificate to allow the machine to connect over TLS.
Is all of the firmware up to date for the machine as well?
Sent from my BlackBerry using TapatalkComment
-
Re: MP C3502 scan to folder using Kerberos authenication
Have you tried actually looking at the Ricoh manuals? I doubt it since you keep mentioning domain which would be for Windows server authentication but the Ricoh documentation clearly talks about Kerberos Realm. Go to Support and Downloads and in the Search for downloads box type in MP C3502 hit Enter and select the Manuals. Once in the manual itself search for Kerberos.
Sent from my BlackBerry using TapatalkComment
-
Re: MP C3502 scan to folder using Kerberos authenication
Active Directory is really just a mix of Kerberos on top of LDAP with a few other tricks added in. In any AD environment, domain controllers issue Kerberos tickets to objects for authentication. It's one of the reasons time has to be accurate within Active Directory: Kerberos is a partially time based protocol.
Sent from my BlackBerry using TapatalkComment
-
Re: MP C3502 scan to folder using Kerberos authenication
I have MP C3502, MP C3503, MP C3504, IMC 2500, and IMC 3500 units that I am trying to switch to Kerberos. I have the MP C3502/D111/D142 Service Manual which is 1,938 pages long. Kerberos is not mention anywhere in that manual. I have the MP C3503/D147 service manual, 2,358 pages. Kerberos is mention in the Appendix as a supported protocol. I have MP C3504/D239 Field Service Manual. Kerberos is a trademark is found twice and Kerberos is a supported protocol. I don't have the manuals for the IMC 2500 or 3500. I downloaded the D1437011A_en.zip for the MP C3502 manuals. I launch the index.html and search for Kerberos. The first 2 results for the LDAP server which I don't need. The third is Administrator Tools, which only points to Programming the Realm. Number 4 is a list of Setting Items, which is where I set the realm name, domain name, and KDC server name. Finally the last option is directions on how to program the realm. What other manuals should I be looking at?
The MP C3503 is the closest to me. Here is the firmware BEFORE I updated:
Module Name Version Part Number System/Copy 2.21 D1425610E Network Support 12.02 D1425563V Font EXP 1.04 D1295770B PCL Font 1.06 D1315586A animation 2.00 D1425568B Fax 07.00.00 D1425569J RemoteFax 04.00.00 D1425564F Printer 1.12 D1425572L RPCS 3.12.24 D1425574C PCL 1.13 D1445580K Scanner 01.13 D1425570G NetworkDocBox 3.01 D1425567G Web Support 1.20 D1425565P Web Uapl 1.05 D1425566F PDF 1.07 D1445559H Java VM v10 std 10.10.01 D1445594K PS3 Font 1.12 D6205681 Data Erase Onb 1.01x D3775934 GWFCU3.5-4(WW) 11.00.00 D6435570P PowerSaving Sys F.11 D1425560D Engine 1.11:04 D1425116N OpePanel 1.07 D1421491F LANG0 1.05 D1421499B LANG1 1.05 D1421499B ADF 01.000:01 D5785300B Comment
-
Re: MP C3502 scan to folder using Kerberos authenication
Here is the firmware AFTER the updates:
The scanner is still using NTLM. Although it looks like System/Copy downgraded?Module Name Version Part Number System/Copy 1.39 D1475575S Network Support 12.88.1 D1475569A Fax 12.00.00 D1475557T RemoteFax 05.00.00 D1475558J Scanner 01.19 D1475560X Web Support 1.16 D1475561V Web Uapl 1.02 D1475562K animation 7.00 D1495564D NetworkDocBox 1.09 D1475568M Printer 1.21 D1655704 RPCS 3.13.29 D1655703J Font EXP 1.00 D1475581 PCL 1.25 D1655706T PCL Font 1.13 D6415758A PDF 1.09 D1655733J PS3 Font 1.11 D6415763A Java VM v11 std 11.28.03 D1475579R Data Erase Onb 1.03m D3775913 GWFCU3.8-2(WW) 12.00.00 D1495559N PowerSaving Sys F.20 D1475554E Engine 1.43:08 D1475504G OpePanel 1.14 D1471490N LANG0 1.14 D1471490N LANG1 1.14 D1471490N ADF 01.290:03 D7795300H Finisher 01.240:04 D6865301N Comment
-
Re: MP C3502 scan to folder using Kerberos authenication
Here is the firmware AFTER the updates:
The scanner is still using NTLM. Although it looks like System/Copy downgraded?Module Name Version Part Number System/Copy 1.39 D1475575S Network Support 12.88.1 D1475569A Fax 12.00.00 D1475557T RemoteFax 05.00.00 D1475558J Scanner 01.19 D1475560X Web Support 1.16 D1475561V Web Uapl 1.02 D1475562K animation 7.00 D1495564D NetworkDocBox 1.09 D1475568M Printer 1.21 D1655704 RPCS 3.13.29 D1655703J Font EXP 1.00 D1475581 PCL 1.25 D1655706T PCL Font 1.13 D6415758A PDF 1.09 D1655733J PS3 Font 1.11 D6415763A Java VM v11 std 11.28.03 D1475579R Data Erase Onb 1.03m D3775913 GWFCU3.8-2(WW) 12.00.00 D1495559N PowerSaving Sys F.20 D1475554E Engine 1.43:08 D1475504G OpePanel 1.14 D1471490N LANG0 1.14 D1471490N LANG1 1.14 D1471490N ADF 01.290:03 D7795300H Finisher 01.240:04 D6865301N Comment
-
Comment
-
Re: MP C3502 scan to folder using Kerberos authenication
Attached is a link to the Operator Manual for the C3502. The Operating Instructions - Security Guide covers setting up authentication. It should give you all the information you need to setup Kerberos.
OM-rfg051245.pdf - Google DriveComment
-
Re: MP C3502 scan to folder using Kerberos authenication
Thank you for the document. It confirms that the realm name MUST be in capital letters, page 722, which it is.
I think we are getting the issue confused. I want to enable Kerberos authentication ONLY for scanning to folders. I don't need or want the users to login to the copier. I just need to authenticate to the server to save the file to correct destination via the Address Book. I tried enabling logging: Device Management, Configuration, Logs, and set Collect Job Logs to active with only the Scanning: options set to Collect. Everything else was set to Do not Collect. The logs don't tell me anything useful about WHY Kerberos is not being used. The access logs don't look like anything useful for this problem.Comment
Comment