Configuring an Authentication Service for AD Kerberos authentication
Use this procedure to configure a BMC Server Automation Authentication Service so BMC Server Automation users can authenticate using the AD/Kerberos user credentials.
To configure an Authentication Service for AD/Kerberos authentication
The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.
When you specify a domain name in any of the following steps, you must use uppercase letters. You might want to review the diagram in Sample domain structure for an overview of the domain names and host names used in the examples in this topic.
- If you have not done so already, perform the following prerequisite procedure: Registering an Authentication Service in an Active Directory Domain.
- Review the information that is needed to perform subsequent steps. See Required information for configuring AD Kerberos.
- Copy the keytab file to the Application Server.
- Obtain the host name of an Active Directory KDC for the service principal's realm. See Locating the Active Directory KDC for the service principal's domain.
- Create the blappserv_krb5.conf file, which provides essential configuration information.
- Create the blappserv_login.conf file (AD Kerberos), which provides the location of the keytab file.
- Configure the Authentication Service to support Kerberos. See Defining Authentication Service settings for AD Kerberos.
- Add user names based on Kerberos naming conventions to the RBAC user database. See Cross-registering users in the BMC Server Automation database (AD Kerberos).
- If you are using Network Shell to communicate directly with agents, set up a Network Shell proxy server to manage that traffic.
- Add users to built-in roles.