Configuring Active Directory as an identity provider for Kerberos authentication
To set up Kerberos authentication on your BMC Helix Single Sign-On server, you must first configure the identity provider (IdP) for Kerberos authentication. This topic describes how to configure Active Directory as an IdP.
Perform the tasks described in this topic to configure Active Directory as an identity provider:
- As an Active Directory (AD) administrator, create a service account in Active Directory.
- As an AD administrator, add an SPN mapping for the service account.
- (Optional) As s a user who has access to the domain controller, generate a keytab file if you want to provide the credentials through a keytab file.
Before you begin
As an AD administrator, you must have the following information in place:
- The user name and password of the service account which will be used by BMC Helix SSO server to connect to the Domain Controller for authentication.
- The FQDN of the machine where BMC Helix SSO server is installed.
You must have administrative permissions to run the
ktpasscommand.
To create a service account in Active Directory
- Go to the Active Directory.
- Right click Users > New > User.
- Enter the user name and the user logon name in the First name and User logon name fields.
- Click Next.
- Enter user password in the Password and Confirm password fields.
- Select the User cannot change password and Password never expires check boxes.
- Click Next.
- Click Finish.
To add a Service Principal Name mapping for the service account
In one of the directories on the Active Directory machine, run the following command:
setspn -S HTTP/<HOST> <USER> The following table describes the command variables:
| Variable | Description |
|---|---|
| <host> | Fully qualified domain name of the host on which the BMC Helix SSO server runs including the internet domain. |
| <user> | Logon name of the service account. |
Example:
setspn -S HTTP/access.bmc.com remedyssoserviceImportant
If the BMC Helix SSO server does not run on default HTTP or HTTPS ports, the port must be registered.
After you run the command, HTTP/<host> Service Principal Name (SPN) is automatically assigned to the user.
To generate a keytab file
In an appropriate directory on the BMC Helix SSO server, run the following command in the command line interface:
ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0The following table describes the command variables:
| Variable | Description |
|---|---|
| <file> | Name of the keytab file that will be generated. |
| <host> | Fully qualified domain name of the host on which BMC Helix SSO server runs including the internet domain. |
| <domain> | The Active Directory domain name written in uppercase. |
| <password> | Password of the user. |
Example:
ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0A keytab contains the Service Principle Name (SPN) credentials for the BMC Helix SSO server to communicate with the Domain Controller. The clients use the SPN to request a service ticket during the authentication process.
Comments
Log in or register to comment.