Configuring Kerberos authentication


  • this configuration is required when using WAPT Enterprise version;
  • indeed without Kerberos authentication, you have to either trust initial registration or enter a password for each workstation on initial registration;
  • for more information, visit the documentation on registering a machine with the WAPT Server and signing inventory updates;
  • the kerberos authentication will be used only when registering the device;

Installing the Kerberos components

apt-get install krb5-user msktutil
apt-get install libnginx-mod-http-auth-spnego

Configuring krb5

Modify the /etc/krb5.conf file and replace all the content with the following 4 lines replacing MYDOMAIN.LAN with your Active Directory domain name (i.e. <MYDOMAIN.LAN>).


default_realm must be written with ALL CAPS!!

  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = true

Retrieving a service keytab

Use the :command:`kinit and klist. You can use an Administrator account or any other account with the delegated right to join a computer to the domain in the proper destination container (by default CN=Computers).

In the shell transcript below, commands are in black and returned text is commented in light gray:

sudo kinit administrator
## Password for administrator@MYDOMAIN.LAN:
## Warning: Your password will expire in 277 days on lun. 17 sept. 2018 10:51:21 CEST
sudo klist
## Ticket cache: FILE:/tmp/krb5cc_0
## Default principal: administrator@MYDOMAIN.LAN
## Valid starting       Expires              Service principal
## 01/12/2017 16:49:31  02/12/2017 02:49:31  krbtgt/MYDOMAIN.LAN@MYDOMAIN.LAN
## renew until 02/12/2017 16:49:27

If the authentication request is successful, you can then create your HTTP Keytab with the msktutil command.

Be sure to modify the <DOMAIN_CONTROLER> string with the name of your domain controller (eg: srvads.mydomain.lan).

sudo msktutil --server DOMAIN_CONTROLER --precreate --host $(hostname) -b cn=computers --service HTTP --description "host account for wapt server" --enctypes 24 -N
sudo msktutil --server DOMAIN_CONTROLER --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(hostname) -N


Be sure to have properly configured your WAPT Server hostname before running these commands;

In order to double check your hostname, you can run echo $(hostname) and it must return the name that will be used by WAPT agent running on client workstations.

Finally, change the ownership rights on the keytab file.

sudo chown root:www-data /etc/nginx/http-krb5.keytab
sudo chmod 640 /etc/nginx/http-krb5.keytab


You can now use post-configuration script to configure the WAPT Server to use Kerberos.

The post-configuration script will configure Nginx and the WAPT Server to use Kerberos authentication.


This post-configuration script must be run as root.

/opt/wapt/waptserver/scripts/ --force-https

Kerberos authentication is now configured.


The post-configuration script generates a self-signed certificate. If you prefer, you may replace it with a commercial certificate or a certificate issued by a Trusted internal Authority of Certification.

Otherwise, go on directly to the next step to installing the WAPT console.