This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

End-to-end steps for configuring Active Directory Kerberos authentication

The following topics are provided:


The Microsoft Windows Server operating system implements the Kerberos version 5 authentication protocol. Windows Server operating system also implements extensions for public key authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services running on the domain controller. The KDC uses the domain’s Active Directory service database as its account database. An Active Directory server is required for default Kerberos implementations.

Before you begin

To make changes to Microsoft Windows Active Directory, you must have administrator permissions on the domain controller computer and in the domain itself. To make changes to the BMC Atrium Single Sign-On server, you must also have administrator permissions for the BMC Atrium SSO Admin Console.

Configuring Kerberos authentication with Active Directory


If you are using Microsoft Windows Active Directory version 2003, you might need to update to a later version to get setspn options. For more information, see

Perform the following tasks to configure Kerberos with Active Directory.

1Understanding how Kerberos worksKerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. To understand the conceptual framework, see Kerberos authentication.

Creating user identity which will be used for active directory authentication

You must log on to the domain controller computer as a user with administrator permissions.  Then, create a user in Active Directory server for authentication.

  1. Enter the user's First name and User logon name.
  2. Specify the Password and confirm the password. Select the User cannot change password and Password never expires check boxes.
  3. Verify that you have not selected the Require preauthentication check box.
Note: BMC Atrium Single Sign-On server communicates with your KDC or Active Directory domain controller on TCP/UDP Port 88. Refer to the Microsoft documentation for specific information related to your Active Directory version,

(Optional) Generate a keytab file for the service principal

After the accounts for the service principals are created, a keytab file must be generated. For more information, see Generating a keytab file for the service principal.

Alternatively, you can add an Service Principal Name (SPN) password. (If you are using an SPN password, you must map the SPN to a user account, and the user account must have an ID that matches the SPN.)

4Mapping the Kerberos service nameAdd an SPN for mapping the Kerberos service name. The setspn.exe utility allows manipulation of SPNs within Active Directory. For more information, see Mapping the Kerberos service name.
5Configuring the Kerberos moduleAfter you have generated a keytab file and mapped the Kerberos service name, configure the Kerberos module on the BMC Atrium SSO Admin Console. For more information, see Configuring the Kerberos module.
6Reconfiguring your browser

If you have not reconfigured your browser for using Kerberos authentication, you must configure it. For more information, see Reconfiguring your browser.

7(Optional) Chaining different modules

If a complex authentication chain is needed, you can create a certificate chain by using the Realm Editor on the BMC Atrium SSO Admin Console. Perform the procedures in Chaining different modules.

8Testing Kerberos authentication
  • Make sure that the test machine belongs to the KDC domain and the user's details are in the Active Directory account database. Then, enter the application URL in the browser. The user must be authenticated automatically.
  • Authentication chaining (including Kerberos authentication) can be tested without binding to the particular agent. Open the Login URL in a new browser instance. In case of successful Kerberos authentication, the following message is displayed to the user without being prompted for credentials.
    • "You (<username>) are logged in with insufficent privileges for the admin console."


In High Availability (HA) mode, when you create the keytab file and the SPN mapping, use the name of the load balancer host instead of the name of the BMC Atrium Single Sign-On server host.

Troubleshooting Kerberos authentication

If you encounter issues related to Kerberos authentication, refer to the Kerberos troubleshooting section. For more information, see Troubleshooting Kerberos authentication.

Was this page helpful? Yes No Submitting... Thank you