Kerberos Editor

The Kerberos Editor is updated with a Return option that pulls group information from the Kerberos Service Ticket when you are operating in a Microsoft Active Directory domain.

Parameters	Description
`Service Principal Name (SPN)`	The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On; for example, HTTP/bmc-xyz.sso.com@ATSSO.COM. With Active Directory, the SPN entered can either be the SPN used to generate the keytab file, or the user identify that the SPN was mapped to using the setspn.exe command. When entering the user identity instead of the SPN, specify it using the format <userid>@<DOMAIN>, for example, atriumsso@ATSSO.COM.
`Kerberos Realm`	The Key Distribution Center (KDC) domain name.
`KDC Server Name`	The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller. If you have multiple KDC servers (primary KDC and several secondary KDCs), you can specify them in this field, separated by a colon. If the primary KDC is unavailable at any moment for authentication, BMC Atrium Single Sign-On tries to use another KDC from the user's list; for example, abc.atsso.com:abc1.atsso.com.
`Credentials`	You can choose the authentication mechanism for Kerberos. Two options are available: Password — The password allows you to authenticate without generating a keytab file. However, you must still map the BMC Atrium Single Sign-On service to a user account. File Name — The keytab file contains sensitive information used by the BMC Atrium Single Sign-On servers when working with the KDC and Microsoft Active Directory (AD). For more information, see Generating a keytab file for the service principal.
`UserID Format`	The following parameters are used: Use Domain Name with Principal — When this check box is selected, the service allows BMC Atrium Single Sign-On to automatically use the Kerberos principal with the domain controller's domain name during authentication. Forced character case — The forced character case allows you to select the type of character case you want for your user ID. You can choose any of the three options: No change, UPPERCASE, and lowercase. The UserId is displayed in the selected format in the user store.
`Make UserId available to User Store`	When this check box is selected, the user store searches use the original UserID instead of the value modified by the `UserId Format` parameter. For example, when BMC Atrium Single Sign-On searches the user store, the user ID provided from the Kerberos authentication module could be atsso\abcxyz, but the original value from the Kerberos Service Ticket is used to search the user store.
`Logging`	Enable logging and click View to see the logging information on a web page. The Logging panel allows you to select from the following logging-level options: All — All the details related to Kerberos — for example, the information within the SPNEGO token—are saved in the log file. Info — Messages related to Kerberos are saved as warnings and errors in the log file. Off — No logs are generated. Additionally, the logs contain Kerberos diagnostic information. For example, verification details for KVNO and SPN values comparison. Note: Turn off logging when you are not debugging the configuration for avoiding performance degradation.

Kerberos Editor

Comments