×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Out of support

 

This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.
BMC Atrium Single Sign-On 8.0.00 ... Configuring after installation Using Kerberos for authentication

Generating a Kerberos authentication chain for the BmcRealm

Before using Kerberos for authentication, a service principal for the BMC Atrium Single Sign-On server must be added to the realm. This service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.

To add a Kerberos service principal

In the Active Directory server, run the ktpass utility.

By running the ktpass command, you create a mapping that associates the Kerberos service name with the identity in Active Directory.

ktpass command example

The following ktpass utility syntax is used to create a mapping that associates the Kerberos service name with the identity in Active Directory.

ktpass /mapuser <host> /pass <password> /princ HTTP/<host>@<DOMAIN>
/ptype KRB5_NT_PRINCIPAL /Target <DOMAIN>

In this case:

  • host is the host name where the service resides. The host name is the same as the user account name.
  • password is the password for the account.
  • HTTP/host is the case-sensitive full name of the host including the internet domain.
  • DOMAIN is the Active Directory domain name.

Important

The internet domain and Active Directory domain are different domains. The internet domain is used to form a hierarchy of computer names for mapping a computer name to a host address. The Active Directory (AD) domain is used for grouping users for authentication purposes and maps to a Kerberos realm.

The principal name is case-sensitive. By convention:

  • Kerberos realms (and AD Domains) are written in uppercase.
  • Host names are written in lowercase.
  • Database look ups are case-sensitive.

Important

This constraint means that the principal names expressed in the mappings must be written using the same case as those returned by a domain name lookup.

The host name can also be modified through the host's file. If you modify the host name through the host's file, the browser and the system might need to be rebooted for the name change to take effect.

ktpass output example

The following example creates a mapping to associate the Kerberos service name with the identity in Active Directory.


ktpass /pass mysecret /mapuser ssohost /princ HTTP/ssohost@SAMPLE.BMC.COM
/ptype KRB5_NT_PRINCIPAL /Target SAMPLE.BMC.COM

C:\Documents and Settings\admin>ktpass /pass mysecret /mapuser ssohost
/princ HTTP/ssohost@SAMPLE.BMC.COM /ptype KRB5_NT_PRINCIPAL /Target SAMPLE.BMC.COM
Using legacy password setting method
Successfully mapped HTTP/ssohost to ssohost.
Key created.

Where to go from here

Was this page helpful? Yes No Submitting... Thank you
Last modified by Ruth Harris on May 10, 2012

Comments

Log in or register to comment.

Generating a keytab for the service principal
Reconfiguring your browser
© Copyright 2013 - 2017 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.