Results 1 to 6 of 6
  1. #1
    Senior Tech 100+ Posts
    Join Date
    Mar 2016
    Posts
    150
    Rep Power
    19

    MPC3003 and Using Kerberos Authentication for Scan to File

    Is this possible? Recently the org I work for turned NTLM completely off and we have a fleet of 20 of these. I see options to enter Kerberos information in for user authentication in the administrative settings but this seems to only authenticate for using options on the machine.

    I appreciate any elucidation anyone can provide on this as we will be ending our Ricoh contract if this is not possible as scanning to email is not allowed for our environment.

  2. #2
    Retired 10,000+ Posts
    MPC3003 and Using Kerberos Authentication for Scan to File

    slimslob's Avatar
    Join Date
    May 2013
    Location
    Bakersfield, CA
    Posts
    34,074
    Rep Power
    987

    Re: MPC3003 and Using Kerberos Authentication for Scan to File

    Do they have NTLM turned off or just NetBIOS disabled. Scan to folder by network name uses NetBIOS to resolve device name to IP address.

    From what I have read, Kerberos requires NTLM. Setting up Kerberos Authentication is covered in the Security Guide portion of the Operating Instruction manual.

  3. #3
    Service Manager 2,500+ Posts rthonpm's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    2,784
    Rep Power
    108

    Re: MPC3003 and Using Kerberos Authentication for Scan to File

    NetBIOS resolves hostnames for the old WINS protocol. As long as a DNS server internal to the network is configured in network settings, hostnames will resolve whether NetBIOS is turned on or off.

    For Kerberos authentication, you will need to follow the instructions found in the user manual for configuring the realm and connecting to your KDC. In terms of disabling NTLM, have you disabled the entire protocol, or just NTLMv1 and allowing NTLMv2? You may want to involve your support company to change some of the authentication settings only available through a terminal session to the machine, as well as to ensure all firmware is up to date.

    Sent from my BlackBerry using Tapatalk

  4. #4
    Senior Tech 100+ Posts
    Join Date
    Mar 2016
    Posts
    150
    Rep Power
    19

    Re: MPC3003 and Using Kerberos Authentication for Scan to File

    Quote Originally Posted by rthonpm View Post
    NetBIOS resolves hostnames for the old WINS protocol. As long as a DNS server internal to the network is configured in network settings, hostnames will resolve whether NetBIOS is turned on or off.

    For Kerberos authentication, you will need to follow the instructions found in the user manual for configuring the realm and connecting to your KDC. In terms of disabling NTLM, have you disabled the entire protocol, or just NTLMv1 and allowing NTLMv2? You may want to involve your support company to change some of the authentication settings only available through a terminal session to the machine, as well as to ensure all firmware is up to date.

    Sent from my BlackBerry using Tapatalk
    I am the support company, unfortunately. I hung up my tech hat for office IT awhile ago. All versions of NTLM have been disabled. I am familiar with establishing a Telnet session to these MFPs as I had to change something via this method some time ago but I do not recall what. There is setting for Kerberos authentication in the WIM under Device Management and then Configuration. Are we getting close here?

  5. #5
    Senior Tech 250+ Posts PrintWhisperer's Avatar
    Join Date
    Feb 2018
    Location
    Wild West
    Posts
    431
    Rep Power
    29

    Re: MPC3003 and Using Kerberos Authentication for Scan to File

    Quote Originally Posted by Stormhammer View Post
    Is this possible? Recently the org I work for turned NTLM completely off and we have a fleet of 20 of these. I see options to enter Kerberos information in for user authentication in the administrative settings but this seems to only authenticate for using options on the machine.

    I appreciate any elucidation anyone can provide on this as we will be ending our Ricoh contract if this is not possible as scanning to email is not allowed for our environment.
    Helpful to know the OS you're dealing with but let's clear up some misunderstanding about what you are after.

    Typically (as you have found) an MFP's settings referring to NTLM vs Kerberos are seen in the Login feature (basically AD auth to use the device) and do not refer to Scan to File. There are embedded apps that will, but the basic protocol stack is usually equivalent to OpenSSL.

    Scan to File can (usually) be FTP or SMB but in each case the authentication method is built into the protocol based on it's supported versions.

    As Slimslob pointed out the NTLMSSP challenge is built into SMB2 as the NTLM [MS-NLMP] auth method and is what we typically see used, and the Server communicates with the Authentication Authority.

    For Microsoft at least, SMB2 clients wishing to connect using Kerberos must support the [MS-KILE] extensions and communicate with the Authentication Authority(DC) directly.

    From what I read around hear, Ricoh support for SMB2 is pretty sketchy but if you make any progress I would love to see a Wireshark of a Kerberos SMB2 exchange.

  6. #6
    Service Manager 2,500+ Posts rthonpm's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    2,784
    Rep Power
    108

    Re: MPC3003 and Using Kerberos Authentication for Scan to File

    You found the correct settings for enabling Kerberos. You need to make sure that the time on the MFP is identical to the network time. Generally using a domain controller as your NTP source will do that for you. From there, configure your realm, entering it in all capital letters; your domain controller, using the hostname; and finally the domain name.

    Do you have a default sender set for the scan function? Best practise is going to be using a service account (not a newer style managed service account).

    Is the firmware level up to date where it gives you the option to enable SMB3? Having the latest firmware on the device would be a good first step.

    Sent from my BlackBerry using Tapatalk

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Get the Android App
click or scan for the Copytechnet Mobile App

-= -= -= -= -=


IDrive Remote Backup

Lunarpages Internet Solutions

Advertise on Copytechnet

Your Link Here