×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Unsupported content

 

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.
Remedy Single Sign-On 19.08 ... Administering Setting up end user authentication Configuring authentication Configuring Kerberos authentication

Configuring Active Directory as an identity provider for Kerberos authentication

To set up Kerberos authentication on your Remedy Single Sign-On server, you must first configure the identity provider (IdP) for Kerberos authentication. This topic describes how to configure Active Directory as an IdP. 

Perform the tasks described in this topic to configure Active Directory as an identity provider:

  1. As an Active Directory (AD) administrator, create a service account in Active Directory.
  2. As an AD administrator, add an SPN mapping for the service account.
  3. (Optional) As s a user who has access to the domain controller, generate a keytab file if you want to provide the credentials through a keytab file.
Related topics

Configuring Kerberos authentication

Before you begin

As an AD administrator, you must have the following information in place:

  • The user name and password of the service account which will be used by Remedy SSO server to connect to the Domain Controller for authentication.
  • The FQDN of the machine where Remedy SSO server is installed.

  • You must have administrative permissions to run the ktpass command. 

To create a service account in Active Directory

  1. Go to the Active Directory.
  2. Right click Users > New > User.
  3. Enter the user name and the user logon name in the First name and User logon name fields.
  4. Click Next.
  5. Enter user password in the Password and Confirm password fields.
  6. Select the User cannot change password and Password never expires check boxes.
  7. Click Next.
  8. Click Finish.

To add a Service Principal Name mapping for the service account

In one of the directories on the Active Directory machine, run the following command:

setspn -S HTTP/<HOST> <USER>

The following table describes the command variables:

VariableDescription
<host>

Fully qualified domain name of the host on which the Remedy SSO server runs including the internet domain.

<user>Logon name of the service account.

Example:

setspn -S HTTP/access.bmc.com remedyssoservice

If the Remedy SSO server does not run on default HTTP or HTTPS ports, the port must be registered.

After you run the command,  HTTP/<host> Service Principal Name (SPN) is automatically assigned to the user.

To generate a keytab file

In an appropriate directory on the Remedy SSO server, run the following command in the command line interface:

ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0

The following table describes the command variables:

VariableDescription
<file>Name of the keytab file that will be generated.
<host>

Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.

<domain>The Active Directory domain name written in uppercase.
<password>Password of the user.

Example:

ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0

A keytab contains the Service Principle Name (SPN) credentials for the Remedy SSO server to communicate with the Domain Controller. The clients use the SPN to request a service ticket during the authentication process.

Where to go from here

Configuring a realm for Kerberos authentication

Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Jul 31, 2020
task reference

Comments

Log in or register to comment.

Configuring Kerberos authentication
Configuring a realm for Kerberos authentication
© Copyright 1991 – 2019 BMC Software, Inc.
© Copyright 1991 – 2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.