Kerberos authentication

Kerberos is a trusted third-party authentication service that is used to provide authentication service for a client and server applications by using secret-key cryptography. The clients and servers are collectively referred to as principals.

Kerberos uses a database that contains the private keys of clients and servers. The private keys are used to authenticate different clients and servers on a network. Kerberos also generates temporary session keys that are shared between a client and a server to communicate with each other. All communications between a client and server are then encrypted with the temporary session key.

The BMC Helix Single Sign-On administrator can configure the IP addresses of the users by using BMC Helix SSO Admin Console. Kerberos authentication is performed only for these configured IP addresses. When a user tries to log in through a realm with Kerberos authentication, BMC Helix SSO server validates the IP address of that user with the configured IP address range. If the configured IP address range contains the IP of that user, then the user is authenticated through Kerberos authentication, else the user is either authenticated through the next IdP in the authentication chain, or redirected to an error page. For more information about how to configure the IP address range(s), see Configuring Kerberos authentication.

The Kerberos architecture consists of the following entities and several modular services:

  • Clients that need to use services provided by a server
  • Servers that provide services to clients
  • Key Distribution Center that manages the Kerberos protocol, such as generation of session keys.

Kerberos authentication flow

The following table provides the Kerberos authentication login flow:



1An end user accesses the protected application from a client such as a web browser.

The BMC Helix SSO agent redirects the user to BMC Helix SSO server.


The BMC Helix SSO server sends the client a 401 unauthorized request by setting the header to www-authenticate:Negotiate.


The client obtains a Kerberos service ticket from the Key Distribution Center (KDC) by using the ticket-granting ticket (TGT).


The client sends the service ticket to the BMC Helix SSO server in a special HTTP header called Authorization. The value of this header looks like the Negotiate base64 (token) header.


The BMC Helix SSO server validates the token with KDC.


The BMC Helix SSO server creates a session for the user’s access request.

8The end user accesses the protected application.

Was this page helpful? Yes No Submitting... Thank you