This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring the Kerberos module

This topic provides instructions for configuring the Kerberos module.

To configure the Kerberos module

  1. Configure BMC Atrium Single Sign-On so that it uses Kerberos authentication:
    1. From the Realms panel, select BmcRealm and click Edit.
    2. Verify the User Profile settings are correct for your application. For more information, see User Profile section in the Realm Editor.
    3. In the Realm Authentication panel, click Add Realm Authentication – Kerberos.
      For information about Kerberos authentication parameters, see Kerberos configuration parameters.

      Ensure that you specify the same SPN as you used when you created the keytab file or specify the same user identify that was mapped to the BMC Atrium Single Sign-On SPN when using a password. If you have issues related to SPN, see Invalid service principal name in Kerberos authentication.

    4. Remove the default Internal LDAP authentication from the Realm Authentication panel.

    5. Restart the BMC Atrium Single Sign-On server.

  2. To verify the Kerberos authentication, enter the BMC Atrium Single Sign-On URL in the following format in a web browser:

Kerberos configuration parameters

When adding or editing a Kerberos module, the following parameters are available:

The Kerberos Editor is updated with a Return option that pulls group information from the Kerberos Service Ticket when you are operating in a Microsoft Active Directory domain.


Service Principal Name (SPN)

The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On; for example, HTTP/ With Active Directory, the SPN entered can either be the SPN used to generate the keytab file, or the user identify that the SPN was mapped to using the setspn.exe command. When entering the user identity instead of the SPN, specify it using the format <userid>@<DOMAIN>, for example, atriumsso@ATSSO.COM.

Kerberos Realm

The Key Distribution Center (KDC) domain name.

KDC Server Name

The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.

If you have multiple KDC servers (primary KDC and several secondary KDCs), you can specify them in this field, separated by a colon. If the primary KDC is unavailable at any moment for authentication, BMC Atrium Single Sign-On tries to use another KDC from the user's list; for example,


You can choose the authentication mechanism for Kerberos. Two options are available:

UserID Format

The following parameters are used:

  • Use Domain Name with Principal — When this check box is selected, the service allows BMC Atrium Single Sign-On to automatically use the Kerberos principal with the domain controller's domain name during authentication.
  • Forced character case — The forced character case allows you to select the type of character case you want for your user ID. You can choose any of the three options: No change, UPPERCASE, and lowercase. The UserId is displayed in the selected format in the user store.
Make UserId available to User StoreWhen this check box is selected, the user store searches use the original UserID instead of the value modified by the UserId Format parameter.  For example, when BMC Atrium Single Sign-On searches the user store, the user ID provided from the Kerberos authentication module could be atsso\abcxyz, but the original value from the Kerberos Service Ticket is used to search the user store.

Enable logging and click View to see the logging information on a web page. The Logging panel allows you to select from the following logging-level options:

  • All — All the details related to Kerberos — for example, the information within the SPNEGO token—are saved in the log file.
  • Info — Messages related to Kerberos are saved as warnings and errors in the log file.
  • Off — No logs are generated.

Additionally, the logs contain Kerberos diagnostic information. For example, verification details for KVNO and SPN values comparison.

Note: Turn off logging when you are not debugging the configuration for avoiding performance degradation.

Was this page helpful? Yes No Submitting... Thank you


  1. Gaurav Wadhwa

    Hi Team,

    We have upgraded Atrium SSO 9.0 from 8.1 patch 003. Now we are facing an issue where userid@domainName is passing to AR System which is not allowing user to logging in or login as a guest user if allowed, as only userid like firstname.lastname is configured in AR System.

    Please suggest solution for this. There is already a discussion thread opened for the same on BMC Communities, you can refer it for more details.

    Thanks & Regards,

    Gaurav Wadhwa

    Oct 10, 2014 02:54
    1. Abhay Chokshi

      Thank you for your comment, Gaurav.

      The concerned SME is currently looking into this issue. I will reply to you as soon as I receive a solution to your query.



      Oct 12, 2014 12:58