Unsupported content


This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring Kerberos authentication

As a Remedy Single Sign-On administrator, you can configure Remedy Single Sign-On server to authenticate only those users whose IP addresses are defined in a realm configured to use Kerberous authentication method.  

When an end user tries to login through a realm, the Remedy SSO server checks if the IP of the user belongs to the range of IP addresses specified for this realm. If the IP address of the user exists in the configured range of IP addresses, then Remedy SSO server sends the user to login through this identity provider (IdP), else it skips this IdP and moves on to the next IdP in the authentication chain.

Kerberous authentication configuration process overview

To configure Kerberous authentication, perform the following tasks:

  1. As an Active Directory (AD) administrator, create a service account in Active Directory.
  2. As an AD administrator, add an SPN mapping for the service account.
  3. (Optional) As s a user who has access to the domain controller, generate a keytab file if you want to provide the credentials through a keytab file.
  4. As a Remedy SSO administrator, configure the Kerberos authentication.
  5. As a system administrator, configure a browser  on the end users' computers, or provide instructions to end users how to configure their browser for Kerberous authentication. For information about configuring a browser, see Configuring a browser

Before you begin

  • As an AD administrator, you must have the following information in place:
    • The user name and password of the service account which will be used by Remedy SSO server to connect to the Domain Controller for authentication.
    • The FQDN of the machine where Remedy SSO server is installed.
    • You must have administrative permissions to run the ktpass command.

  • As a Remedy SSO administrator, perform the following tasks:

    • Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.
    • Obtain the following information:
      • Machine name of the Key Distribution Center
      • Existing Kerberos realm on the Key Distribution Center
      • Service account name and service account password for Remedy SSO if you plan to use SPN credential type.
      • Keytab file if you plan to use the keytab credential type.

To create a service account in Active Directory

  1. Go to the Active Directory.
  2. Right click Users > New > User.
  3. Enter the user name and the user logon name in the First name and User logon name fields.
  4. Click Next.
  5. Enter user password in the Password and Confirm password fields.
  6. Select the User cannot change password and Password never expires check boxes.
  7. Click Next.
  8. Click Finish.

To add a Service Principal Name mapping for the service account

In one of the directories on the Active Directory machine, run the following command:

setspn -S HTTP/<HOST> <USER> 

The following table describes the command variables:


Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain

<user>Logon name of the service account.


setspn -S HTTP/access.bmc.com remedyssoservice

After you run the command,  HTTP/<host> Service Principal Name (SPN) is automatically assigned to the user.

To generate a keytab file

Run the following command on the command line interface in an appropriate directory:

ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0

The following table describes the command variables:

<file>Name of the keytab file that will be generated.

Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.

<domain>The Active Directory domain name written in uppercase.
<password>Password of the user.


ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0

A keytab contains the Service Principle Name (SPN) credentials for the Remedy SSO server to communicate with the Domain Controller. The clients use the SPN to request a service ticket during the authentication process.

To configure the Kerberos authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

  2. In the Authentication Type field, click KERBEROS.

  3. Enter the required Kerberos details:


    KDC Server

    Name of the machine where the Active Directory Domain Controller is hosted.

    Example: ker.114kdc.local

    Kerberos Realm

    Name of the Kerberos realm. You must enter the realm in upper case.
    Example: RSSO.COM

    Service Principal Name (SPN)

    • If keytab is used, provide the full form of the SPN. For example, HTTP/access.bmc.com.
    • If keytab is not used, specify the login name of the integration user.
    Credential Type

    Credential type to be used by Remedy SSO server to log on to Active Directory. Select one of the following:

    • SPN Password
    • Keytab File
    SPN PasswordPassword for the service account. This field is available only if you select SPN Password in the Credential Type field.
    Keytab File

    Path to the keytabfile. This field is available only if you select Keytab File in the Credential Type field.

    In Remedy SSO server cluster environment, each Remedy SSO server node must contain the samekeytabfile andkeytabfile path.

    UserId Format

    Select one of the following formats from the list to transform the user id after a successful login.

    • user - Retains the User ID
    • user@domain - User ID with the Kerberos domain as suffix
    • domain\user - User ID preceded by the domain
    User ID TransformationOptions to transform the login IDs provided by the authentication provider to match the user IDs available in the user store. For more information, see Transforming User ID to match Login ID.
    Included IP Range(s)

    The IP address for Kerberos authentication. You can also specify a range of IP addresses separated by a comma .

    Only the clients whose IP address match with the IP addresses configured in this field are authenticated by Kerberos authentication. All other requests coming from the IP addresses that are not configured in this field are passed on to the next IdP in the authentication chain.

    If you do not specify any IP address, Remedy SSO server authenticates all the IP addresses using Kerberos authentication.

    The following table provides some of the examples of IP addresses that you can configure:

    ExampleDescription IP address.
    127Value for IP address 0.0.0127.
    127.0.0.*All IPs from to, such as,, and so on. range of IP addresses from to IPs from to
    IPv6 2620:0:2d0:200::7/32All IPs from 2620:0:0:0:0:0:0 to 2620:0:ffff:ffff:ffff:ffff:ffff:ffff.
  4. Click Test to verify the settings.
  5. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR authentication for bypassing other authentication methods.
  6. (Optional) Click Enable Chaining Mode to enable authentication chaining and perform the following steps. For more information about the authentications that you can chain with LDAP, see Authentication chaining.
    1. Click Add Authentication.
    2. Select the required authentication type and enter the authentication details.
    3. Repeat Step a through Step b to add more authentications for the realm.

Configuring a browser

After you have configured the Active Directory and Kerberos authentication settings, you must make sure that the browser on an end user's system is configured to support Kerberos authentication.

To configure Internet Explorer

  1. Navigate to Tools > Internet Options > Advanced.
  2. On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).
  3. On the Security tab, select Local Intranet.
  4. Click Custom Level.
  5. In the User Authentication/Logon section, select Automatic logon only in Intranet zone.
  6. Click OK.
  7. Click Sites and select all check boxes.
  8. Click Advanced and add Remedy SSO service website to the local zone (the website might be already added). For example, sample.bmc.com.
  9. Click Add.
  10. Click OK for all pop-ups.

To configure Google Chrome

Google Chrome also supports Kerberos authentication. If you have configured Internet Explorer, then no additional settings are required for Google Chrome because it uses Internet Explorer settings.

To configure Mozilla Firefox

  1. In the browser window, enter the following URL: about:config.
  2. Click I accept the risk!
  3. Search for network.negotiate-auth.trusted-uris by the Preference Name, and double click it.

  4. Type a FQDN of the Remedy SSO server, for example, sample.bmc.com.

  5. Search for network.automatic-ntlm-auth.trusted-uris by the Preference Name, and double click it.
  6. Type a FQDN of the Remedy SSO server, for example, sample.bmc.com.
  7. Click OK.

Related Videos

Was this page helpful? Yes No Submitting... Thank you