End-to-end steps for configuring MIT Kerberos authentication
The following topics are provided:
Overview
MIT Kerberos is a trusted third-party authentication service. It provides a centralized authentication server whose function is to authenticate users to servers and servers to users. It uses symmetric encryption with keys shared with the authentication server. Kerberos keeps a database containing the keys of clients and servers, and uses the keys to authenticate one network node to another. Kerberos also generates temporary session keys to be shared by the two parties in a conversation. All communications between the two parties are then encrypted with the session key. This topic describes the process of setting up BMC Atrium Single Sign-On to use Kerberos authentication.
Configuring MIT Kerberos authentication
Recommendations
If you are using Microsoft Windows Active Directory version 2003, you might need to update to a later version to get setspn options. For more information, see http://support.microsoft.com/kb/970536.
Perform the following tasks to configure Kerberos with Active Directory.
| No. | Task | Description |
|---|---|---|
| 1 | Understanding how Kerberos works | Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. To understand the conceptual framework, see Kerberos authentication. |
| 2 | (Optional) Generating a keytab file for the service principal | After the accounts for the service principals are created, a keytab file must be generated. For more information, see Generating a key tab file for the service principal. Alternatively, you can add an Service Principal Name (SPN) password. (If you are using an SPN password, you must map the SPN to a user account, and the user account must have an ID that matches the SPN.) |
| 3 | Configuring the Kerberos module | After you have generated a keytab file and mapped the Kerberos service name, configure the Kerberos module on the BMC Atrium SSO Admin Console. For more information, see Configuring the Kerberos module. |
| 4 | Reconfiguring your browser | If you have not reconfigured your browser for using Kerberos authentication, you must to configure it. For more information, see Reconfiguring your browser. |
| 5 | (Optional) Chaining different modules | If a complex authentication chain is needed, you can create a certificate chain by using the Realm Editor on the BMC Atrium SSO Admin Console. Perform the procedures in Chaining different modules. |
Note
To set up Kerberos authentication when the BMC Atrium Single Sign-On server is running in High Availability (HA) mode, you must do the following modifications:
- When you create the keytab file and the SPN mapping, use the name of the load balancer host instead of the name of the BMC Atrium Single Sign-On server host.
- When you open the BMC Atrium Single Sign-On application in a browser, use the host name and port number of the load balancer instead of the host name and port number of the BMC Atrium Single Sign-On server. For example, https://<Loadbalancer>:<port>/atriumsso/UI/Login?realm=<realm_name>.
Troubleshooting Kerberos authentication
If you encounter issues related to Kerberos authentication, refer to the Kerberos troubleshooting section. For more information, see Troubleshooting Kerberos authentication.
Comments
Log in or register to comment.