Generating a Kerberos authentication chain for the BmcRealm
Before using Kerberos for authentication, a service principal for the BMC Atrium Single Sign-On server must be added to the realm. This service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
To add a Kerberos service principal
In the Active Directory server, run the ktpass utility.
By running the ktpass command, you create a mapping that associates the Kerberos service name with the identity in Active Directory.
ktpass command example
The following ktpass utility syntax is used to create a mapping that associates the Kerberos service name with the identity in Active Directory.
ktpass /mapuser <host> /pass <password> /princ HTTP/<host>@<DOMAIN>
/ptype KRB5_NT_PRINCIPAL /Target <DOMAIN>
In this case:
- host is the host name where the service resides. The host name is the same as the user account name.
- password is the password for the account.
- HTTP/host is the case-sensitive full name of the host including the internet domain.
- DOMAIN is the Active Directory domain name.
Important
The internet domain and Active Directory domain are different domains. The internet domain is used to form a hierarchy of computer names for mapping a computer name to a host address. The Active Directory (AD) domain is used for grouping users for authentication purposes and maps to a Kerberos realm.
The principal name is case-sensitive. By convention:
- Kerberos realms (and AD Domains) are written in uppercase.
- Host names are written in lowercase.
- Database look ups are case-sensitive.
Important
This constraint means that the principal names expressed in the mappings must be written using the same case as those returned by a domain name lookup.
The host name can also be modified through the host's file. If you modify the host name through the host's file, the browser and the system might need to be rebooted for the name change to take effect.
ktpass output example
The following example creates a mapping to associate the Kerberos service name with the identity in Active Directory.
ktpass /pass mysecret /mapuser ssohost /princ HTTP/ssohost@SAMPLE.BMC.COM
/ptype KRB5_NT_PRINCIPAL /Target SAMPLE.BMC.COM
C:\Documents and Settings\admin>ktpass /pass mysecret /mapuser ssohost
/princ HTTP/ssohost@SAMPLE.BMC.COM /ptype KRB5_NT_PRINCIPAL /Target SAMPLE.BMC.COM
Using legacy password setting method
Successfully mapped HTTP/ssohost to ssohost.
Key created.
Comments
Log in or register to comment.