Use the Kerberos Authentication page to configure the device (multi-function peripheral or digital sender) to authenticate users to a Kerberos Realm. When Kerberos authentication is selected as the Log In Method for one or more Device Functions on the Authentication Manager page, the user at the device must enter valid credentials (username, password, and realm) to gain access to those functions.
Authentication consists of two interdependent parts. First, the device verifies the user's credentials with the KDC. After the device user has supplied valid credentials and has been authenticated, the device searches for the user's e-mail address and name. If either step fails, the user is denied access to the functions that have been configured to require Kerberos authentication.
Use the Kerberos Authentication page to set up the parameters that are used to access the LDAP server and searches for the user's information. Note that this page only applies when Kerberos Version 5 is selected as a Log In Method on the Authentication Manager page.
The Kerberos Default Realm is the fully qualified domain name of the Kerberos realm (domain).
Use the Advanced button to the right of the Kerberos Default Realm field to access the Alternate Domain configuration. Alternate domains are mapped to the default realm.
The Kerberos Server Hostname can be the same as the Kerberos Default Realm if a DNS service is available (Domain Name Service) and correctly configured. The device will use DNS to look up the first available KDC (Kerberos Domain Controller) on the network. If DNS is not available, the IP address of the Kerberos Server may be used.
The Kerberos Server Port is the default IP port used by the Kerberos authentication method. Note that the default is port 88, but this can be different in different network environments. Please contact your IT administrator to determine the appropriate port if the default port does not work.
The LDAP Server Bind Method determines how the device will access the LDAP server.
The Credentials configuration section is used to determine which credentials will be used to bind (authenticate) to the LDAP server.
The Bind Prefix setting is the LDAP attribute used to construct the user's Distinguished Name (DN) for authentication. This prefix is combined with the username typed at the control panel to form the Relative Distinguished Name (RDN). Commonly used prefixes are "CN" (for common name) or "UID" (for user identity).
The Bind and Search Root value is used to validate the user's credientials with the LDAP server. This value is combined with the RDN to construct the full Distinguished Name (DN) of the user.
The string consists of "attribute=value" pairs, separated by commas. For example:
ou=engineering,o=Hewlett Packard,c=US ou=marketing,o=Hewlett Packard,c=US o=hp.com ou=engineering,cn=users,dc=hp,dc=com
The Bind Prefix and Bind and Search Root settings are only used if the LDAP Server Bind Method is set to Simple or Simple over SSL, and Use Device User Credentials is selected.
The LDAP Server is typically the same as the Kerberos Server in the Windows Active Directory Environment.
The Port is the IP port used by the LDAP protocol to communicate with the LDAP server. This is typically port 389 or port 3268.
The Search Root is the Distinguished Name (DN) of the entry in the LDAP directory structure where address searching is to begin. A DN is made up of ' attribute=value ' pairs, separated by commas. For example:
dc=Hewlett-Packard,dc=com ou=engineering,dc=northamerica,dc=Hewlett-Packard,dc=com ou=marketing,o=Hewlett Packard,c=US o=hp.com ou=engineering,cn=users,dc=hp,dc=com
Note: On some LDAP Servers, the Search Root can be left blank (in which case its root node will be assumed). The search root is not case sensitive.
After the device user has been located in the LDAP database, the user's e-mail address is retrieved from the database by using the LDAP attribute specified in the Retrieve the device user's e-mail address using attribute of field. In the Windows Active Directory environment, this attribute is typically mail.
The user's display name is obtained from the LDAP attribute that is specified in the and name using the attribute of field. In the Windows Active Directory environment, this attribute is typically displayName.