Adding Kerberos realms for discovery authentication

Kerberos is a widely used authentication protocol that uses mutual encryption and a trusted third party, to enable a client and server to verify their identities. BMC Helix Discovery supports Kerberos authentication for target discovery by using SSH credentials. 

Kerberos authentication uses realms as logical network groupings, each administered by a Key Distribution Center (KDC) that has the authority to authenticate a user, host, or service. 

Before you begin

Kerberos authentication relies on the following:

  • Accurate timings—BMC Discovery Outpost and the KDC must use NTP. 
  • Hostnames—DNS must be enabled, and the hostnames must match. That is, hostname is not the same as hostname.company.com.

To add a Kerberos realm for discovery authentication


To configure BMC Helix Discovery to discover, you must add the realm administering the target and authenticate the BMC Discovery Outpost with the realm's KDC. You can perform all Kerberos realm configurations from the Kerberos page.  

For advanced options and automations, see the Kerberos endpoints in the REST API.

  1. From the BMC Discovery Outpost Manage menu, select Kerberos.
    The Kerberos page displays details of any realms already added.
  2. Click Add a Realm.
    The Add a Realm dialog box is displayed. Enter the following information:

    Field name

    Description

    The realm name.

    KDC

    The KDC name or IP address.

    KDC Port

    The port to use on the KDC. The default is 88. You only need to add a port if it is not the default.

    Admin Server

    The admin server name or IP address. If you do not set a value here, the system uses the KDC name or IP address.
    PortThe port to use on the admin server. The default is 749. You only need to add a port if it is not the default.

  3. Click Apply to add the realm.

To test authentication

The authentication test is a test of whether the principal name and password can be used to obtain a Ticket Granting Ticket (TGT) from the KDC. The principal name and password that you enter are not stored. You use the same principal name and password to add credentials that use the realm.

  1. In the Kerberos page, click the Actions menu for the realm for which you want to test authentication.  
  2. Click Test Authentication...
    The Test KDC Authentication dialog box is displayed. Enter the following information:

    Field name

    Description

    Principal Name

    The user principal name with which to test authentication.

    Password

    The corresponding password.

  3. Click Test.


    The test result is displayed.

Encryption and SSH support

BMC Helix Discovery uses the following types of encryption.

  • aes256-cts-hmac-sha1-96
  • aes256-cts
  • aes256-sha1
  • aes128-cts-hmac-sha1-96
  • aes128-cts
  • aes128-sha1
  • aes256-cts-hmac-sha384-192
  • aes256-sha2
  • aes128-cts-hmac-sha256-128
  • aes128-sha2
  • camellia256-cts-cmac
  • camellia256-cts
  • camellia128-cts-cmac
  • camellia128-cts
  • arcfour-hmac
  • rc4-hmac
  • arcfour-hmac-md5

Modifying the encryption type is not supported.

For more information on the encryptions, see:

  • MIT Kerberos Open link
  • Microsoft Windows Kerberos Open link

BMC Helix Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Helix Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.

Was this page helpful? Yes No Submitting... Thank you

Comments