Using PDQ Deploy and Inventory Client Mode in NTLM Restricted Environments

Starting with version 19.3.423.0, PDQ Deploy and Inventory consoles in Client Mode are able to connect to Central Server Mode instances using Kerberos authentication. This is particularly useful in environments where NTLM authentication is restricted or if Console Users need to be in the "Protected Users" security group in Active Directory.

Requirements

  • PDQ Deploy and Inventory configured to run in Central Server Mode
  • PDQ Deploy and Inventory running 19.3.423.0 or newer on Central Server Mode and Client Mode installations
  • The background service for PDQ Deploy and Inventory must be a domain account
  • Service Principal Names (SPN) configured for the PDQ Deploy and Inventory services

Additionally, this setup will assume that NTLM authentication is being blocked in your environment. The screenshot below shows the policy settings we used in our testing.

For the purposes of this article we'll only be covering how to configure the SPN and how to connect consoles in Client Mode. If additional information is needed for the other requirements, please refer to the "See Also" section.

Setting the SPN for the PDQ Deploy and Inventory Services

Services that use Kerberos authentication will need a corresponding Service Principal Name (SPN) set for it so that clients can identify and authenticate with that service on the network. To do this, you'll need to use the setspn command in an elevated Command Prompt, specifying the service name, FQDN of the PDQ server and service account of the background service.

This must be run by a domain administrator.

setspn -S PDQDeploy/PDQServer.fqdn Domain\PDQBackgroundService
setspn -S PDQInventory/PDQServer.fqdn Domain\PDQBackgroundService

Once the SPN has been set for both the PDQ Deploy and Inventory services, you can verify that the SPN records are present by running:

setspn -L Domain\PDQBackgroundService

Connecting the Client Consoles to the Central Server

After configuring the SPN for both services, you'll be able to launch the consoles for your PDQ Deploy and Inventory Client Mode installations and point them to your Central Server Mode instance. In order for this to work, you must provide the FQDN of the PDQ server in the "Server" field. Using only the hostname will result in the "Failed to connect to the server" error.

Wrapping-up

Once everything above has been configured, you should be able to connect your PDQ Deploy and Inventory Client Mode installations to a Central Server Mode instance in an NTLM restricted environment. This should also work when authenticating with a Console User that exists in the "Protected Users" security group in Active Directory. If you experience issues with connecting the console in Client Mode, ensure that all requirements are met and that the SPNs have been configured correctly.

See Also

Configuring Central Server - PDQ Deploy

Configuring Central Server - PDQ Inventory

PDQ Credentials Explained

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.