This documentation supports the 19.08 version of Remedy Single Sign-On.

To view an earlier version, select the version from the Product version menu.

Configuring Active Directory as an identity provider for Kerberos authentication

To set up Kerberos authentication on your Remedy Single Sign-On server, you must first configure the identity provider (IdP) for Kerberos authentication. This topic describes how to configure Active Directory as an IdP. 

Perform the tasks described in this topic to configure Active Directory as an identity provider:

  1. As an Active Directory (AD) administrator, create a service account in Active Directory.
  2. As an AD administrator, add an SPN mapping for the service account.
  3. (Optional) As s a user who has access to the domain controller, generate a keytab file if you want to provide the credentials through a keytab file.

Before you begin

As an AD administrator, you must have the following information in place:

  • The user name and password of the service account which will be used by Remedy SSO server to connect to the Domain Controller for authentication.
  • The FQDN of the machine where Remedy SSO server is installed.
  • You must have administrative permissions to run the ktpass command. 

To create a service account in Active Directory

  1. Go to the Active Directory.
  2. Right click Users > New > User.
  3. Enter the user name and the user logon name in the First name and User logon name fields.
  4. Click Next.
  5. Enter user password in the Password and Confirm password fields.
  6. Select the User cannot change password and Password never expires check boxes.
  7. Click Next.
  8. Click Finish.

To add a Service Principal Name mapping for the service account

In one of the directories on the Active Directory machine, run the following command:

setspn -S HTTP/<HOST> <USER> 

The following table describes the command variables:

VariableDescription
<host>

Fully qualified domain name of the host on which the Remedy SSO server runs including the internet domain.

<user>Logon name of the service account.

Example:

setspn -S HTTP/access.bmc.com remedyssoservice

If the Remedy SSO server does not run on default HTTP or HTTPS ports, the port must be registered.

After you run the command,  HTTP/<host> Service Principal Name (SPN) is automatically assigned to the user.

To generate a keytab file

In an appropriate directory on the Remedy SSO server, run the following command in the command line interface:

ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0

The following table describes the command variables:

VariableDescription
<file>Name of the keytab file that will be generated.
<host>

Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.

<domain>The Active Directory domain name written in uppercase.
<password>Password of the user.

Example:

ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0

A keytab contains the Service Principle Name (SPN) credentials for the Remedy SSO server to communicate with the Domain Controller. The clients use the SPN to request a service ticket during the authentication process.

Where to go from here

Configuring a realm for Kerberos authentication

Was this page helpful? Yes No Submitting... Thank you

Comments