Creating the blappserv_krb5.conf file (AD Kerberos)

Use this procedure to create a blappserv_krb5.conf file. This file provides necessary Kerberos configuration information.

Note

When identifying servers in the blappserv_krb5.conf file, do not use IP addresses. The Application Server must be able to resolve DNS names of Active Directory servers.

To create the blappserv_krb5.conf file

  1. Create a text file and add content to it as described below. The content varies depending on the domain functional level of the domain controller where Active Directory is running.
    Domain functional level set to Windows 2008 or later

    [libdefaults]
      ticket_lifetime = 6000
       default_realm = <SERVICE_PRINCIPAL_REALM>

    [realms]
      <SERVICE_PRINCIPAL_REALM> = {
          kdc = <SERVICE_PRINCIPAL_REALM_KDC>:88
       }

    [domain_realm]
      .<SERVICE_PRINCIPAL_DOMAIN> = <SERVICE_PRINCIPAL_REALM>

    Domain functional level set to Windows 2003

    [libdefaults]
      ticket_lifetime = 6000
       default_realm = <SERVICE_PRINCIPAL_REALM>
       default_tkt_enctypes = rc4-hmac
       default_tgs_enctypes = rc4-hmac

    [realms]
      <SERVICE_PRINCIPAL_REALM> = {
          kdc = <SERVICE_PRINCIPAL_REALM_KDC>:88
       }

    [domain_realm]
      .<SERVICE_PRINCIPAL_DOMAIN> = <SERVICE_PRINCIPAL_REALM>

    In this text file:
    <SERVICE_PRINCIPAL_REALM> is the realm where the keytab file was created. For example:
    SUB2.DEV.MYCOMPANY.COM
    <SERVICE_PRINCIPAL_REALM_KDC> is the host name for the Active Directory KDC for the realm where the keytab file was created. For example:
    kdc.SUB2.DEV.MYCOMPANY.COM
    This is the value you got when you ran the nslookup command, as described in Locating the Active Directory KDC for the service principal's domain.
    In the "domain_realm" section, <SERVICE_PRINCIPAL_DOMAIN>provides DNS names. A period before a DNS name indicates you are mapping every system with a DNS name ending with that value to a corresponding Kerberos realm. For example:

    .sub1.dev.mycompany.com = SUB1.DEV.MYCOMPANY.COM
    .sub2.dev.mycompany.com = SUB2.DEV.MYCOMPANY.COM
    .dev.mycompany.com      = DEV.MYCOMPANY.COM
  2. Do one of the following:
    • (UNIX) Save the file to the /NSH/br directory with the name blappserv_krb5.conf.
      For example, if TrueSight Server Automation is installed in the default location, you would copy the file to the following directory:
      /opt/bmc/bladelogic/NSH/br
    • (Windows) Save the file to the \NSH\br directory with the name blappserv_krb5.conf.
      For example, if TrueSight Server Automation is installed in the default location, you would copy the file to the following directory:
      C:\Program Files\BMC Software\BladeLogic\NSH\br

Where to go from here

See Creating-the-blappserv_login-conf-file-AD-Kerberos.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*