Authentication and connection to a domain controller

Support

Support for business applications

Kaspersky Security Center 15 Linux

Discovering networked devices

Authentication and connection to a domain controller

1 July 2024

ID 277210

Get as PDF

Authentication and connection to a domain controller when scanning a domain

When scanning a domain controller, Administration Server or a distribution point identifies the connection protocol to establish initial connection to the domain controller. This protocol is used for all future connections to the domain controller.

The initial connection to a domain controller proceeds as follows:

Administration Server or a distribution point attempts to connect to the domain controller over LDAPS.
By default, certificate verification is not required. Set the KLNAG_LDAP_TLS_REQCERT flag to 1 to enforce certificate verification.

Possible values of the KLNAG_LDAP_TLS_REQCERT_AUTH flag:
- 0—The certificate is requested, but if it is not provided or the certificate verification failed, then the TLS connection is still considered successfully created (default value).
- 1—Strict verification of the LDAP server certificate is required.
By default, the path to the certificate authority (CA) that is used to access the certificate chain is not specified. Use the KLNAG_LDAP_SSL_CACERT flag to specify the path.
If the LDAPS connection fails, Administration Server or a distribution point attempts to connect to the domain controller over non-encrypted TCP connection by using SASL (DIGEST-MD5).

Authentication and connection to a domain controller when authenticating a domain user to Administration Server

When a domain user authenticates on Administration Server, Administration Server identifies the protocol to establish connection to the domain controller.

The connection to a domain controller proceeds as follows:

Administration Server attempts to connect to the domain controller over LDAPS.
By default, certificate verification is required. Use the KLNAG_LDAP_TLS_REQCERT_AUTH flag to configure certificate verification.

Possible values of the KLNAG_LDAP_TLS_REQCERT_AUTH flag:
- 0—The certificate is requested, but if it is not provided or the certificate verification failed, then the TLS connection is still considered successfully created.
- 1—Strict verification of the LDAP server certificate is required (default value).
By default, the path to the certificate authority (CA) that is used to access the certificate chain is not specified. Use the KLNAG_LDAP_SSL_CACERT flag to specify the path.
If the LDAPS connection fails, an error connecting to the domain controller occurs and other connection protocols are not used.

Configuring flags

You can use the klscflag utility to configure flags.

Run the command line, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.

For example, the following command enforces certificate verification:

klscflag -fset -pv klserver -n KLNAG_LDAP_TLS_REQCERT -t d -v 1

Kaspersky Endpoint Security for Linux: High protection without performance compromising

Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.