×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.
Remedy Single Sign-On 19.11 ... Getting started Single sign-on authentication methods

Kerberos authentication

Kerberos is a trusted third-party authentication service that is used to provide authentication service for a client and server applications by using secret-key cryptography. The clients and servers are collectively referred to as principals.

Kerberos uses a database that contains the private keys of clients and servers. The private keys are used to authenticate different clients and servers on a network. Kerberos also generates temporary session keys that are shared between a client and a server to communicate with each other. All communications between a client and server are then encrypted with the temporary session key.

Related topic

Configuring Kerberos authentication

The Remedy Single Sign-On administrator can configure the IP addresses of the users by using Remedy SSO Admin Console. Kerberos authentication is performed only for these configured IP addresses. When a user tries to log in through a realm with Kerberos authentication, Remedy SSO server validates the IP address of that user with the configured IP address range. If the configured IP address range contains the IP of that user, then the user is authenticated through Kerberos authentication, else the user is either authenticated through the next IdP in the authentication chain, or redirected to an error page. For more information about how to configure the IP address range(s), see Configuring Kerberos authentication.

The Kerberos architecture consists of the following entities and several modular services:

  • Clients that need to use services provided by a server
  • Servers that provide services to clients
  • Key Distribution Center that manages the Kerberos protocol, such as generation of session keys.

Kerberos authentication flow

The following table provides the Kerberos authentication login flow:

Stage

Description

1An end user accesses the protected application from a client such as a web browser.
2

The Remedy SSO agent redirects the user to Remedy SSO server.

3

The Remedy SSO server sends the client a 401 unauthorized request by setting the header to www-authenticate:Negotiate.

4

The client obtains a Kerberos service ticket from the Key Distribution Center (KDC) by using the ticket-granting ticket (TGT).

5

The client sends the service ticket to the Remedy SSO server in a special HTTP header called Authorization. The value of this header looks like the Negotiate base64 (token) header.

6

The Remedy SSO server validates the token with KDC.

7

The Remedy SSO server creates a session for the user’s access request.

8The end user accesses the protected application.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Olga Kutetska on May 08, 2020
key_concepts authentication reference

Comments

Log in or register to comment.

Reauthentication
AR authentication
© Copyright 1991 – 2019 BMC Software, Inc.
© Copyright 1991 – 2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.