This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

End-to-end steps for configuring MIT Kerberos authentication

The following topics are provided:


MIT Kerberos is a trusted third-party authentication service. It provides a centralized authentication server whose function is to authenticate users to servers and servers to users. It uses symmetric encryption with keys shared with the authentication server. Kerberos keeps a database containing the keys of clients and servers, and uses the keys to authenticate one network node to another. Kerberos also generates temporary session keys to be shared by the two parties in a conversation. All communications between the two parties are then encrypted with the session key. This topic describes the process of setting up BMC Atrium Single Sign-On to use Kerberos authentication.

Configuring MIT Kerberos authentication


If you are using Microsoft Windows Active Directory version 2003, you might need to update to a later version to get setspn options. For more information, see

Perform the following tasks to configure Kerberos with Active Directory.

1Understanding how Kerberos worksKerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. To understand the conceptual framework, see Kerberos authentication.

(Optional) Generating a keytab file for the service principal

After the accounts for the service principals are created, a keytab file must be generated. For more information, see Generating a key tab file for the service principal.

Alternatively, you can add an Service Principal Name (SPN) password. (If you are using an SPN password, you must map the SPN to a user account, and the user account must have an ID that matches the SPN.)

3Configuring the Kerberos moduleAfter you have generated a keytab file and mapped the Kerberos service name, configure the Kerberos module on the BMC Atrium SSO Admin Console. For more information, see Configuring the Kerberos module.
4Reconfiguring your browser

If you have not reconfigured your browser for using Kerberos authentication, you must to configure it. For more information, see Reconfiguring your browser.

5(Optional) Chaining different modules

If a complex authentication chain is needed, you can create a certificate chain by using the Realm Editor on the BMC Atrium SSO Admin Console. Perform the procedures in Chaining different modules.


To set up Kerberos authentication when the BMC Atrium Single Sign-On server is running in High Availability (HA) mode, you must do the following modifications:

  • When you create the keytab file and the SPN mapping, use the name of the load balancer host instead of the name of the BMC Atrium Single Sign-On server host.
  • When you open the BMC Atrium Single Sign-On application in a browser, use the host name and port number of the load balancer instead of the host name and port number of the BMC Atrium Single Sign-On server. For example, https://<Loadbalancer>:<port>/atriumsso/UI/Login?realm=<realm_name>.

Troubleshooting Kerberos authentication

If you encounter issues related to Kerberos authentication, refer to the Kerberos troubleshooting section. For more information, see Troubleshooting Kerberos authentication.

Was this page helpful? Yes No Submitting... Thank you