This documentation supports the 19.05 version of Remedy Single Sign-On.

To view an earlier version, select the version from the Product version menu.

Kerberos authentication process

Remedy Single Sign-On supports Kerberos authentication for users whose IP addresses are configured by the Remedy SSO administrator by using Remedy SSO Admin Console. If IP addresses are not configured, then Remedy SSO server authenticates users from any IP address through Kerberos authentication.

When a user tries to login through a realm, Remedy SSO server checks the IP of the user with the IP addresses configured in Remedy SSO Admin Console. If the IP address of the user exists in the configured range of IP addresses, Remedy SSO server sends the user to login through this IdP, else it skips the IdP and moves on to the next IdP in the authentication chain.

For more information about configuring the IP addresses, see Kerberos authentication parameters.

The following image shows the tasks that you must perform to configure the Kerberos authentication in Remedy SSO.

KerberosAuthentication

Configuring Active Directory

To configure Active Directory, perform the following steps:

#TaskPerformed by
1Create a service account in Active DirectoryActive Directory administrator
2Add an SPN mapping for the service accountActive Directory administrator
3

(OptionalGenerate a keytab file if you want to provide the credentials through a keytab file 

User who access to a server with the domain controller

Creating a service account in Active Directory

  1. Go to Active Directory.
  2. Right-click Users > New > User.
  3. Enter the user name and the user logon name in the First name and User logon name fields.
  4. Click Next.
  5. Enter user password in the Password and Confirm password fields.
  6. Select the User cannot change password and Password never expires check boxes.
  7. Click Next.
  8. Click Finish.

Adding an SPN mapping for the service account

Before you begin

  • Ensure that you have the user name and password for the service account.
  • Ensure that you have the machine name where Remedy SSO server runs.

To add an SPN mapping

To add an SPN mapping, run the setspn command on one of the directories in the Active Directory machine.

setspn -S HTTP/<HOST> <USER> 

For more information about the setspn command parameters, see the following list:

  • <HOST>: Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.

  • <REALM>: Name of the Kerberos realm.
  • <USER>: Logon name of the service account.

For example,

setspn -S HTTP/access.bmc.com remedyssoservice

Generating a keytab file

A keytab contains the Service Principle Name (SPN) credentials for Remedy SSO to communicate with the domain controller. The clients use the SPN to request a service ticket during the authentication process.

Before you begin

  • Obtain the user name and password for the service account.
  • Obtain the machine name where Remedy SSO server runs.
  • Ensure that you have appropriate administrative permissions to run the ktpass command.

To generate a keytab file

To generate a keytab file, run the ktpass command on the command line interface in an appropriate directory. The command automatically assigns HTTP/<host> SPN to the user.

ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0

For more information about the ktpass command parameters, see the following list:

  • <FILE>: Name of the keytab file that is to be generated.
  • <HOST>: Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.
  • <DOMAIN>: Active Directory domain name written in uppercase.
  • <PASSWORD>: Password of the user.

For example,

ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0

Configuring the Kerberos authentication


Before you begin 

  • Ensure that you have performed Remedy SSO server configuration. For more information on server configuration, see Configuring general settings for Remedy SSO server.
  • Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.
  • Obtain the following information:
    • Machine name of the Key Distribution Center.
    • Kerberos realm created for Remedy SSO on Key Distribution Center.
    • Service account name for Remedy SSO.
    • Service account password if SPN credential type is to be used.
    • Keytab file if keytab credential type is to be used.

To configure the Kerberos authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

  2. In the Authentication Type field, click KERBEROS.

  3. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR authentication for bypass.

  4. Enter the Kerberos details. For more information on parameters, see Kerberos authentication parameters

  5. Click Test to verify the settings.
  6. (Optional) Click Enable Chaining Mode to enable authentication chaining and perform the following steps. For more information about the authentications that you can chain with LDAP, see Authentication chaining.
    1. Click Add Authentication.
    2. Select the required authentication type and enter the authentication details.
    3. Repeat Step a through Step b to add more authentications for the realm.

Kerberos authentication parameters

FieldDescription

KDC Server

Name of the machine where the Active Directory Domain Controller is hosted.

Example: ker.114kdc.local

Kerberos Realm

Name of the Kerberos realm. You must enter the realm in upper case.
Example: RSSO.COM

Service Principal Name (SPN)

  • If keytab is used, provide the full form of the SPN. For example, HTTP/access.bmc.com.
  • If keytab is not used, specify the login name of the integration user.
Credential Type

Credential type to be used by Remedy SSO server to log on to Active Directory. Select one of the following:

  • SPN Password
  • Keytab File
SPN PasswordPassword for the service account. This field is available only if you select SPN Password in the Credential Type field.
Keytab File

Path to the keytabfile. This field is available only if you select Keytab File in the Credential Type field.

In Remedy SSO server cluster environment, each Remedy SSO server node must contain the samekeytabfile andkeytabfile path.

UserId Format

Select one of the following formats from the list to transform the user id after a successful login.

  • user - Retains the User ID
  • user@domain - User ID with the Kerberos domain as suffix
  • domain\user - User ID preceded by the domain
User ID TransformationOptions to transform the login IDs provided by the authentication provider to match the user IDs available in the user store. For more information, see User ID transformation.
Included IP Range(s)

The IP address for Kerberos authentication. You can also specify a range of IP addresses separated by a comma .

Only the clients whose IP address match with the IP addresses configured in this field are authenticated by Kerberos authentication. All other requests coming from the IP addresses that are not configured in this field are passed on to the next IdP in the authentication chain.

If you do not specify any IP address, Remedy SSO server authenticates all the IP addresses using Kerberos authentication.

Following are some of the examples of IP addresses that you can configure:

ExampleDescription
127.0.0.1Single IP address.
127Value for IP address 0.0.0127.
127.0.0.*All IPs from 127.0.0.1 to 127.0.0.255, such as 127.0.0.1, 127.0.0.2, and so on.
127.0.0.1-255A range of IP addresses from 127.0.0.1 to 127.0.0.255.
127.0.0.1/8All IPs from 127.0.0.1 to 127.255.255.255.
IPv6 2620:0:2d0:200::7/32All IPs from 2620:0:0:0:0:0:0 to 2620:0:ffff:ffff:ffff:ffff:ffff:ffff.

Configuring the browser

After you have configured the Active Directory and Kerberos authentication settings, you must make sure that the browser on a user's system is configured to use Kerberos authentication. Ensure that the browser is not on the same computer on which you have installed Remedy SSO server.

Note:

Google Chrome also supports Kerberos authentication. If you have configured Internet Explorer, then no additional settings are required for Google Chrome because it uses Internet Explorer settings.

Configuring Internet Explorer

  1. Navigate to Tools > Internet Options > Advanced.
  2. On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).
  3. On the Security tab, select Local Intranet.
  4. Click Custom Level.
  5. In the User Authentication/Logon section, select Automatic logon only in Intranet zone.
  6. Click OK.
  7. Click Sites and select all check boxes.
  8. Click Advanced and add Remedy SSO service website to the local zone (the website might be already added). For example, sample.bmc.com.
  9. Click Add.
  10. Click OK for all pop-ups.

Configuring Mozilla Firefox

  1. Enter the following URL: about:config.
  2. Click I'll be careful, I promise!
  3. Double-click the Preference Name: network.negotiate-auth.trusted-uris.
  4. Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com.
  5. Double-click the Preference Name:  network.automatic-ntlm-auth.trusted-uris.
  6. Add the fully qualified domain name (FQDN) of the host, for example, sample.bmc.com.
  7. Click OK.

Related Videos


Was this page helpful? Yes No Submitting... Thank you

Comments