MPC3003 and Using Kerberos Authentication for Scan to File

Re: MPC3003 and Using Kerberos Authentication for Scan to File

Do they have NTLM turned off or just NetBIOS disabled. Scan to folder by network name uses NetBIOS to resolve device name to IP address.

From what I have read, Kerberos requires NTLM. Setting up Kerberos Authentication is covered in the Security Guide portion of the Operating Instruction manual.

Re: MPC3003 and Using Kerberos Authentication for Scan to File

NetBIOS resolves hostnames for the old WINS protocol. As long as a DNS server internal to the network is configured in network settings, hostnames will resolve whether NetBIOS is turned on or off.

For Kerberos authentication, you will need to follow the instructions found in the user manual for configuring the realm and connecting to your KDC. In terms of disabling NTLM, have you disabled the entire protocol, or just NTLMv1 and allowing NTLMv2? You may want to involve your support company to change some of the authentication settings only available through a terminal session to the machine, as well as to ensure all firmware is up to date.

Sent from my BlackBerry using Tapatalk

Re: MPC3003 and Using Kerberos Authentication for Scan to File

I am the support company, unfortunately. I hung up my tech hat for office IT awhile ago. All versions of NTLM have been disabled. I am familiar with establishing a Telnet session to these MFPs as I had to change something via this method some time ago but I do not recall what. There is setting for Kerberos authentication in the WIM under Device Management and then Configuration. Are we getting close here?

Re: MPC3003 and Using Kerberos Authentication for Scan to File

Helpful to know the OS you're dealing with but let's clear up some misunderstanding about what you are after.

Typically (as you have found) an MFP's settings referring to NTLM vs Kerberos are seen in the Login feature (basically AD auth to use the device) and do not refer to Scan to File. There are embedded apps that will, but the basic protocol stack is usually equivalent to OpenSSL.

Scan to File can (usually) be FTP or SMB but in each case the authentication method is built into the protocol based on it's supported versions.

As Slimslob pointed out the NTLMSSP challenge is built into SMB2 as the NTLM [MS-NLMP] auth method and is what we typically see used, and the Server communicates with the Authentication Authority.

For Microsoft at least, SMB2 clients wishing to connect using Kerberos must support the [MS-KILE] extensions and communicate with the Authentication Authority(DC) directly.

From what I read around hear, Ricoh support for SMB2 is pretty sketchy but if you make any progress I would love to see a Wireshark of a Kerberos SMB2 exchange.

Re: MPC3003 and Using Kerberos Authentication for Scan to File

You found the correct settings for enabling Kerberos. You need to make sure that the time on the MFP is identical to the network time. Generally using a domain controller as your NTP source will do that for you. From there, configure your realm, entering it in all capital letters; your domain controller, using the hostname; and finally the domain name.

Do you have a default sender set for the scan function? Best practise is going to be using a service account (not a newer style managed service account).

Is the firmware level up to date where it gives you the option to enable SMB3? Having the latest firmware on the device would be a good first step.

Sent from my BlackBerry using Tapatalk