Registering an Authentication Service in an Active Directory domain

This topic provides procedures that an administrator of an Active Directory KDC can use to register the Authentication Service associated with a BMC Server Automation Application Server in an Active Directory domain. Refer to this topic only if you want to employ AD/Kerberos user credentials to authenticate BMC Server Automation end users to the BMC Server Automation Authentication Service.

To register an Authentication Service in an Active Directory domain

The following is a master procedure. Each of the steps in this procedure references a subsection that describes another procedure.

Note

When you specify a domain name in any of the following steps, you must use upper case letters. You might want to review the diagram in Sample domain structure for an overview of the domain names and host names used in the examples in this topic.

Review the requirements for the Active Directory server.
Create an Active Directory user account in the domain of the Application Server.
Export the user account and SPN information into a keytab file. After you create the keytab file, you must give this file and the SPN to the administrator of the Application Server. For more information, see Exporting the keytab file.

Requirements for the Active Directory server

The following utilities must be installed on the Active Directory server:

ktpass.exe (BMC recommends using version 5.2.3790.2732)
setspn.exe

For Windows 2003, both of these utilities are provided as part of the Support Tools Service Pack 1. For Windows 2008 these utilities are provided as part of the core operating system.

Creating a user account in the domain of the Application Server

Use this procedure to create a user account for the Authentication Service in the domain (that is, the Kerberos realm) where the BMC Server Automation Application Server is running.

On a Windows 2003 or 2008 Server, from the Start menu, select Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window appears.
In the left column, expand the domain name for the BMC Server Automation Application Server so that it displays the Users folder.
Right-click the Users folder and select New > User. The New Object - User wizard appears.
For First name, enter a name, such as blauthsvc. For User logon name, enter the name again. In this example, you would enter blauthsvc again.
Click Next. The second screen of the wizard appears, requesting password information.
For Password, set the password to whatever you want. Be sure to use a password that conforms to the Active Directory password policy. Then check Password never expires.
Click Next. The final summary page of the wizard appears.
Click Finish to dismiss the wizard.

Exporting the keytab file

Use this procedure to export a keytab file from the Active Directory server. You must give the keytab file to the administrator of the BMC Server Automation Application Server.

The Application Server needs a keytab file because it holds keying material used for decrypting and validating the service ticket that the domain controller (that is, the KDC) issues to the client. When requesting a service ticket from the KDC, the client identifies the targeted server (that is, the Application Server) by the SPN. Because Kerberos employs mediated authentication for the mutual authentication of both the client and server, both the client and server must be registered with the KDC. The user is registered under a domain user name. The server is registered under an SPN.

The procedure varies depending on what version of Windows and what service pack you are using. If you are using Windows 2008 without Service Pack 2, you must work around a Microsoft defect by using a different setup. This defect is corrected in Service Pack 2 for Windows 2008, and it does not affect Windows 2003.

Windows 2003 and Windows 2008 with Service Pack 2

Use the ktpass command-line utility to export the keytab file using the command shown below. Run this utility in a directory suitable for writing a file with sensitive data.
```
ktpass -out blauthsvc.keytab
   -princ blauthsvc/<instance>@<DOMAIN>
   -mapuser blauthsvc@<DOMAIN>
   +rndPass -minPass 33
```
In this command, <instance> is the instance of this Application Server (typically a host name) and <DOMAIN> is the realm where the Application Server is running. (This is the realm/domain that appeared next to the User logon name when you created the blauthsvc user.)
For example, if you used the example names shown in Sample domain structure, you would enter:
```
ktpass -out blauthsvc.keytab
   -princ blauthsvc/app4@SUB2.DEV.MYCOMPANY.COM
   -mapuser blauthsvc@SUB2.DEV.MYCOMPANY.COM
   +rndPass -minPass 33
```
Give the following to the administrator of the Application Server:
- The newly created blauthsvc.keytab file. The blauthsvc.keytab file contains key material, so transfer it between systems with care. The Authentication Service needs this keytab to allow users to authenticate.
- The service principal name used in the keytab file. For example:
  blauthsvc/app4
- The name of the domain (that is, the Kerberos realm) for the Application Server. For example:
  SUB2.DEV.MYCOMPANY.COM

Windows 2008 without Service Pack 2

On the command line, use the setspn utility to create a service principal name for the BMC Server Automation Authentication Service by entering the following command:
setspn -A blauthsvc/<instance> blauthsvc
In this command, <instance> is the instance of this Application Server (typically a host name). For example, you can enter the following command:
setspn -A blauthsvc/app4 blauthsvc
Use the ktpass command-line utility to export the keytab file using the command shown below. Run this utility in a directory suitable for writing a file with sensitive data.
```
ktpass -out blauthsvc.keytab
  -princ blauthsvc@<DOMAIN>
  -mapuser blauthsvc<@DOMAIN>
  +rndPass -minPass 33
```
For example, if you used the example names shown in Sample domain structure, you would enter:
```
ktpass -out blauthsvc.keytab
  -princ blauthsvc@SUB2.DEV.MYCOMPANY.COM
  -mapuser blauthsvc@SUB2.DEV.MYCOMPANY.COM
  +rndPass -minPass 33
```
The -princ parameter identifies a user principal (blauthsvc) rather than a service principal name.
Give the following to the administrator of the Application Server:
- The newly created blauthsvc.keytab file. The blauthsvc.keytab file contains key material, so transfer it between systems with care. The Authentication Service needs this keytab to allow users to authenticate.
- The user principal name used in the keytab file. For example:
  blauthsvc
  Note
  
  Subsequent documentation describing how to set up AD/Kerberos authentication assumes you are using a service principal name when setting up AD/Kerberos authentication. When the documentation provides examples of a service principal name, it uses blauthsvc/app4. However, if you are using Windows 2008 without Service Pack 2, you must work around the Microsoft defect by using a user principal name instead of a service principal name. In that case, you should use blauthsvc instead of blauthsvc/app4.
- The name of the domain (that is, the Kerberos realm) for the Application Server. For example:
  SUB2.DEV.MYCOMPANY.COM

Where to go from here

Do one of the following:

Return to Overview of AD Kerberos configuration tasks.
Begin configuring the Authentication Service for AD/Kerberos. See Configuring an Authentication Service for AD Kerberos authentication.