Kerberos 5 monitor

The Kerberos 5 monitor verifies that an authentication server can respond to a ticket request by sending a ticket request to the Authentication Service (AS).

The ticket request contains the client identity ipMonitor, a session key, a time stamp, and other information such as flags. After the request is processed, it measures the round-trip time to determine the service responsiveness. If the service does not respond within the specified Maximum Test Duration, the test fails.

The Kerberos authentication protocol provides a mechanism for mutual authentication between a client and a server before a network connection is opened between them. Authentication occurs before permission to access network resources is granted.

Create a Kerberos 5 monitor

  1. Click Devices in the toolbar.
  2. Locate and click the targeted device you want to monitor.
  3. In the toolbar, click Add > Add New Monitor.

  4. In the Select Monitor menu, click Kerberos 5.
  5. Under Identification, enter information about the monitor.

    1. Enter a name in the Monitor Name field using up to 64 characters. This name will appear in the monitor list, monitor status, log files, and your reports.

      You can change this name later, if necessary. ipMonitor does not use this field to internally identify this monitor.

    2. Select Enabled to enable the monitor.

      When enabled, the monitor tests the specified resource using the settings you enter under Test Parameters. You can disable the monitor later if required.

    3. Select Store Monitor Statistics for Recent Activity and Historical Reports to enable this functionality.
  6. Under Test Parameters, enter the monitor testing parameters.

    1. Enter the IP address or domain name of the resource you want to monitor.
    2. Enter the UDP port number that the targeted resource responds on. The default is TCP port 88.
    3. Enter the account realm for the monitored authentication service.

      Similar to a Windows domain, a Kerberos realm runs on a Kerberos server. When the Kerberos 5 monitor submits a ticket request to the AS, it includes its registered realm for the service for the service to decide whether to honor the request.

    4. Enter the account name used to obtain a Kerberos 5 ticket. This is usually the account you used to log in to the server.
  7. Under Timing, configure the fields for the monitor testing states.

    1. In the Maximum Test Duration field, enter the maximum test duration rate (in seconds) that the monitor times out before the test is considered a failure.
    2. In the remaining fields, enter the number of second between each test while the monitor is in an OK state (Up), a failed state while alerts are processed (Down), and a failed state and the maximum number of alerts have been processed (Lost).

      In the Lost state, no additional failure alerts are processed. However, a recovery notification is sent if the monitor recovers.

  8. Under Notification Control, complete the fields to determine how many test failures must occur before an alert is sent.

    1. Enter the number of test failures that occur for each alert before ipMonitor generates an alert for the monitor. The default option is 3.
    2. Enter the maximum number of alerts to send before the monitor enters a Lost state.

      The monitor must be assigned to a notification alert to generate an action.

  9. Under Recovery Parameters, complete the fields to indicate the corrective action used to automatically restore a resource using the External Process Recovery, Reboot Server Recovery, or Restart Service Recovery action.

    1. Enter the Fully Qualified Domain Name (FQDN), NetBIOS, or IP Address of the machine hosting the service that needs a restart or the machine that needs a restart. You can also click Browse to locate and select the machine.
    2. Select the set of credentials used by the recovery alert. You can select a specific credential to execute recovery alerts that require access to restricted resources, such as Reboot Server, Restart Service, or External Process.
    3. Select the list of services to restart on the target machine specified in the FQDN/NetBIOS/IP Address field. This field is only required for the Restart Service alert. If a service has dependencies, select all dependent services.
  10. Click OK.