Kerberos is a secure authentication protocol used in Active Directory (AD) domains. It uses encrypted "tickets" instead of passwords to allow ManageEngine Applications Manager to connect to a target server securely. When a server is joined to a domain, Kerberos is enabled by default, making it ideal for monitoring servers without transmitting sensitive credentials.
ManageEngine Applications Manager monitors server performance, applications, and logs. Kerberos enables secure connections to domain-joined servers without hardcoding passwords, using the tool’s domain account for authentication. This ensures safe access to resources like Windows Management Instrumentation (WMI) or file shares.
Follow these steps to configure and verify Kerberos authentication for ManageEngine Applications Manager connecting to a domain-joined server.
Both the server hosting ManageEngine Applications Manager and the target server must be joined to the same AD domain.
systeminfo | findstr "Domain"
Domain: contoso.com
).SPNs link services to the target server’s AD account, enabling Kerberos. Check if the target server has SPNs registered.
setspn -L server01
server01
with the target server’s name.HOST/SERVER01
HOST/SERVER01.contoso.com
setspn -S HOST/server01.contoso.com server01
server01.contoso.com
).klist
HOST/server01.contoso.com
or CIFS/server01.contoso.com
.Kerberos requires clocks on the Applications Manager host, target server, and domain controller to be synchronized (within 5 minutes).
w32tm /query /status
w32tm /resync
setspn -S
.Event Viewer > Windows Logs > Security
) for Kerberos errors (e.g., Event ID 4768 for successful authentication).Kerberos authentication enables ManageEngine Applications Manager to securely monitor domain-joined servers using tickets instead of passwords. By confirming domain membership, verifying SPNs, and configuring the tool correctly, you can ensure reliable and secure monitoring. These steps keep your server monitoring efficient and aligned with AD security standards.