Adding Kerberos realms for discovery authentication
Kerberos is a widely used authentication protocol that uses mutual encryption and a trusted third party, to enable a client and server to verify their identities. BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials.
Kerberos authentication uses realms as logical network groupings, each administered by a Key Distribution Center (KDC) that has the authority to authenticate a user, host, or service.
Before you begin
Kerberos authentication relies on the following:
- Accurate timings—BMC Discovery, the BMC Discovery Outpost, and the KDC must use NTP.
- Hostnames—DNS must be enabled, and the hostnames must match. That is,
hostnameis not the same as
To add a Kerberos realm for discovery authentication
To configure BMC Discovery to discover, you must add the realm administering the target and authenticate the appliance and BMC Discovery Outpost with the realm's KDC. You can perform all Kerberos realm configurations from the Kerberos page.
- From the main menu, click the Administration icon , and in the Discovery section, select Kerberos.
from the BMC Discovery Outpost Manage menu, select Kerberos.
- The Kerberos page displays details of any realms already added.
Click Add a Realm.
The Add a Realm dialog box is displayed. Enter the following information:
The realm name.
The KDC name or IP address.
The port to use on the KDC. The default is 88. You only need to add a port if it is not the default.
The admin server name or IP address. If you do not set a value here, the system uses the KDC name or IP address. Port The port to use on the admin server. The default is 749. You only need to add a port if it is not the default.
- Click Apply to add the realm.
To test authentication
The authentication test is a test of whether the principal name and password can be used to obtain a Ticket Granting Ticket (TGT) from the KDC. The principal name and password that you enter are not stored. You use the same principal name and password to add credentials that use the realm.
- In the Kerberos page, click the Actions menu for the realm for which you want to test authentication.
Click Test Authentication...
The Test KDC Authentication dialog box is displayed. Enter the following information:
The user principal name with which to test authentication.
The corresponding password.
- Click Test.
The test result is displayed.
Encryption and SSH support
BMC Discovery uses the following types of encryption.
Modifying the encryption type is not supported.
For more information on the encryptions, see:
BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.