What is Kerberos?

Kerberos is a secure authentication protocol used in Active Directory (AD) domains. It uses encrypted "tickets" instead of passwords to allow ManageEngine Applications Manager to connect to a target server securely. When a server is joined to a domain, Kerberos is enabled by default, making it ideal for monitoring servers without transmitting sensitive credentials.

Why Use Kerberos with ManageEngine Applications Manager?

ManageEngine Applications Manager monitors server performance, applications, and logs. Kerberos enables secure connections to domain-joined servers without hardcoding passwords, using the tool’s domain account for authentication. This ensures safe access to resources like Windows Management Instrumentation (WMI) or file shares.

How It Works

1. ManageEngine Applications Manager, running on a domain-joined machine, uses a domain account.
2. It requests a Kerberos ticket from the AD domain controller for the target server.
3. The ticket is used to authenticate to the server, granting access to monitoring data.
4. The server verifies the ticket and allows the connection.

Steps to Set Up and Verify Kerberos for ManageEngine Applications Manager

Follow these steps to configure and verify Kerberos authentication for ManageEngine Applications Manager connecting to a domain-joined server.

1. Confirm Domain Membership

Both the server hosting ManageEngine Applications Manager and the target server must be joined to the same AD domain.

• Run in Command Prompt:

  systeminfo | findstr "Domain"
  

• Output should show the domain (e.g., Domain: contoso.com).

2. Verify Service Principal Names (SPNs)

SPNs link services to the target server’s AD account, enabling Kerberos. Check if the target server has SPNs registered.

• Run:

  setspn -L server01
  

  • Replace server01 with the target server’s name.
  • Expected output:

    HOST/SERVER01
    HOST/SERVER01.contoso.com
    

• If no SPNs are listed, ask a domain admin to add them:

  setspn -S HOST/server01.contoso.com server01
  

3. Configure ManageEngine Applications Manager

• Ensure Applications Manager runs under a domain account with permissions to access the target server’s resources (e.g., WMI or file shares).
• In Applications Manager, configure the monitor (e.g., Windows Server monitor) to use the target server’s fully qualified domain name (FQDN, e.g., server01.contoso.com).
• Enable Windows authentication (Kerberos) in the monitor settings:
  • Go to New Monitor > Windows Server or relevant monitor type.
  • Select Windows Authentication and provide the domain account credentials or use the service account running Applications Manager.
• For WMI monitoring, Applications Manager uses Kerberos by default in a domain environment. No hardcoded passwords are needed if integrated Windows authentication is enabled.

4. Test Kerberos Tickets

• Verify that Applications Manager receives Kerberos tickets:

  klist
  

  • Run on the machine hosting Applications Manager.
  • Look for tickets like HOST/server01.contoso.com or CIFS/server01.contoso.com.
• Test the monitor in Applications Manager to ensure it collects data from the target server (e.g., CPU usage or disk metrics).

5. Check Time Synchronization

Kerberos requires clocks on the Applications Manager host, target server, and domain controller to be synchronized (within 5 minutes).

• Run:

  w32tm /query /status
  

• Fix sync issues:

  w32tm /resync
  

Troubleshooting Tips

• No SPNs: Register missing SPNs with setspn -S.
• Connection Fails: Ensure the correct FQDN is used in Applications Manager and the account has permissions (e.g., WMI access).
• NTLM Fallback: Verify SPNs and DNS settings to ensure Kerberos is used instead of NTLM.
• Check event logs on the target server (Event Viewer > Windows Logs > Security) for Kerberos errors (e.g., Event ID 4768 for successful authentication).

Best Practices

• Ensure DNS resolves the target server’s FQDN correctly.
• Regularly check time synchronization to prevent Kerberos failures.

Conclusion

Kerberos authentication enables ManageEngine Applications Manager to securely monitor domain-joined servers using tickets instead of passwords. By confirming domain membership, verifying SPNs, and configuring the tool correctly, you can ensure reliable and secure monitoring. These steps keep your server monitoring efficient and aligned with AD security standards.