Configuring Active Directory as an identity provider for Kerberos authentication
To set up Kerberos authentication on your Remedy Single Sign-On server, you must first configure the identity provider (IdP) for Kerberos authentication. This topic describes how to configure Active Directory as an IdP.
Perform the tasks described in this topic to configure Active Directory as an identity provider:
- As an Active Directory (AD) administrator, create a service account in Active Directory.
- As an AD administrator, add an SPN mapping for the service account.
- (Optional) As s a user who has access to the domain controller, generate a keytab file if you want to provide the credentials through a keytab file.
Before you begin
As an AD administrator, you must have the following information in place:
- The user name and password of the service account which will be used by Remedy SSO server to connect to the Domain Controller for authentication.
- The FQDN of the machine where Remedy SSO server is installed.
You must have administrative permissions to run the
ktpass
command.
To create a service account in Active Directory
- Go to the Active Directory.
- Right click Users > New > User.
- Enter the user name and the user logon name in the First name and User logon name fields.
- Click Next.
- Enter user password in the Password and Confirm password fields.
- Select the User cannot change password and Password never expires check boxes.
- Click Next.
- Click Finish.
To add a Service Principal Name mapping for the service account
In one of the directories on the Active Directory machine, run the following command:
setspn -S HTTP/<HOST> <USER>
The following table describes the command variables:
Variable | Description |
---|---|
<host> | Fully qualified domain name of the host on which the Remedy SSO server runs including the internet domain. |
<user> | Logon name of the service account. |
Example:
setspn -S HTTP/access.bmc.com remedyssoservice
If the Remedy SSO server does not run on default HTTP or HTTPS ports, the port must be registered.
After you run the command, HTTP/<host> Service Principal Name (SPN) is automatically assigned to the user.
To generate a keytab file
In an appropriate directory on the Remedy SSO server, run the following command in the command line interface:
ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0
The following table describes the command variables:
Variable | Description |
---|---|
<file> | Name of the keytab file that will be generated. |
<host> | Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain. |
<domain> | The Active Directory domain name written in uppercase. |
<password> | Password of the user. |
Example:
ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0
A keytab contains the Service Principle Name (SPN) credentials for the Remedy SSO server to communicate with the Domain Controller. The clients use the SPN to request a service ticket during the authentication process.
Comments
Log in or register to comment.