Implementing Active Directory Kerberos authentication
The BMC Server Automation Authentication Service can authenticate users using Windows Active Directory single sign-on credentials or, equivalently, a Kerberos user's ticket granting ticket (TGT). Windows single sign-on is based on the Kerberos authentication protocol. Windows Server 2003/2008 implements a Kerberos Key Distribution Center (KDC) as one of its default domain services. This Windows Server KDC, referred to as the Active Directory KDC, relies on the Active Directory registry to store the names and passwords of registered users within its Kerberos realm. In Windows single sign-on, a Kerberos realm is an Active Directory domain.
When a registered domain user logs into a client platform (Windows or UNIX), the logon client sends a request to the Active Directory KDC for a Kerberos Ticket Granting Ticket (TGT). The request carries encrypted material that allows the KDC to authenticate the request. The keying material used to generate and verify the request is derived from the user's password. After validating the request, the Active Directory KDC responds by sending the client a limited-lifetime (typically 10 hours) user credential, which the client stores in a local credential cache. This credential consists of a service ticket to the ticket granting service (the Ticket Granting Ticket) and an associated ticket granting service session key. In the context of Active Directory, the Kerberos TGT is also referred to as the domain user credential.
BMC Server Automation end users can use their AD/Kerberos credentials to authenticate themselves to the BMC Server Automation Authentication Service. When a BMC Server Automation authentication user interface (either the authentication user interface built into the BMC Server Automation Console or the
blcred utility) selects an AD/Kerberos authentication profile, it employs the end user's AD/Kerberos credentials to conduct a Kerberos protocol exchange with the Authentication Service. In this exchange, the Active Directory domain controller or Kerberos KDC mediates the authentication of the end user to the BMC Server Automation Authentication Service. Upon successful Kerberos authentication of the end user, the Authentication Service issues the authentication user interface a single sign-on credential, which BMC Server Automation clients can use to establish secure sessions with the BMC Server Automation Application Service or Network Shell Proxy Service.
Configuring BMC Server Automation authentication user interfaces and the Authentication Service to support AD/Kerberos authentication requires additional configuration beyond the default configuration of clients and servers. The following topics describe those configuration tasks: