Setting up Kerberos authentication in Remedy SSO
Remedy Single Sign-On (Remedy SSO) supports Kerberos authentication.You can configure the Remedy Single Sign-On server to authenticate TrueSight Operations Management users through a Kerberos authentication.
The following topics help you to perform the above tasks in Remedy SSO and create an authorization profile in the TrueSight console:
Before you begin
- You must have installed and configured the Remedy SSO to work with the Presentation Server and its component products. For details, see and
- You must have created an equivalent local user(and its associated local usergroup) for every Kerberos user that needs to log into the Presentation Server. This is required because the Remedy SSO server cannot obtain usergroup information from the Kerberos identity provider for the successfully logged in Kerberos user. Therefore, you need to create an equivalent local user with the exact name as the Kerberos user and associate that local user with the desired local usergroup. For details on creating local users and usergroups in Remedy SSO using the import utility, perform the procedure.
- You must have added a non-default tenant (realm) in addition to the default * tenant (realm). Configuring tenants for the Presentation Server in Remedy SSO.
You must have configured a multi-tenant environment by enabling the msp parameter. For enabling multi-tenancy, see To enable multi-tenancy in Presentation Server.
Kerberos cannot be configured using the * (default realm) tenant.
Obtain the following information:
Configuring Active Directory
|1||Active Directory administrator|
|2||Active Directory administrator|
(Optional) Generate a keytab if you want to provide the credentials through a keytab file
|User who access to a server with the domain controller|
Creating a service account in Active Directory
- Go to Active Directory.
- Right-click Users > New > User.
- Enter the user name and the user logon name in the First name and User logon name fields.
- Click Next.
- Enter user password in the Password and Confirm password fields.
- Select the User cannot change password and Password never expires check boxes.
- Click Next.
- Click Finish.
Adding an SPN mapping for the service account
Before you begin
- Ensure that you have the user name and password for the service account.
- Ensure that you have the machine name where Remedy SSO server runs.
To add an SPN mapping
To add an SPN mapping, run the setspn command on one of the directories in the Active Directory machine.
setspn -S HTTP/<HOST> <USER>
For more information about the setspn command parameters, see the following list:
<HOST>: Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.
- <REALM>: Name of the Kerberos realm.
- <USER>: Logon name of the service account.
setspn -S HTTP/access.bmc.com remedyssoservice
(Optional) Generating a keytab file
A keytab contains the Service Principle Name (SPN) credentials for Remedy SSO to communicate with the domain controller. The clients use the SPN to request a service ticket during the authentication process.
Before you begin
- Obtain the user name and password for the service account.
- Obtain the machine name where Remedy SSO server runs.
- Ensure that you have appropriate administrative permissions to run the ktpass command.
To generate a keytab file
To generate a keytab file, run the ktpass command on the command line interface in an appropriate directory. The command automatically assigns HTTP/<host> SPN to the user.
ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0
For more information about the ktpass command parameters, see the following list:
- <FILE>: Name of the keytab file that is to be generated.
- <HOST>: Fully qualified domain name of the host on which Remedy SSO server runs including the internet domain.
- <DOMAIN>: Active Directory domain name written in uppercase.
- <PASSWORD>: Password of the user.
ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0
Configuring Kerberos authentication in Remedy SSO for the TrueSight Presentation Server
Perform the following procedures to configure the Kerberos authentication for TrueSight Presentation Server:
- To configure the Kerberos authentication in Remedy SSO for the TrueSight Presentation Server
- To create or edit an authorization profile with Kerberos users in the Presentation Server
To configure the Kerberos authentication in Remedy SSO for the TrueSight Presentation Server
Enter the Kerberos details. For more information on parameters, see Kerberos authentication parameters.
When you configure the Kerberos authentication parameters for the Presentation Server, you must set the User ID Transformation field. For example, if your User ID Format value is domain\user or user@domain, you must set the User ID Transformation to RemoveDomain.
- Click Test to verify the settings.
- Click Save.
- Click Add Authentication.
- In the Authentication Type field, click LOCAL.
- Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
- Create users and user groups for the LOCAL authentication.
The users in LOCAL should be exactly same as the users in Kerberos identity provider.
Alternatively, the users can also be created using import script under the migration utility.
- Associate users to the user groups.
- Click Save.
Add the LOCAL authentication entry below the Kerberos authentication entry, and do not promote or move the LOCAL entry above the Kerberos entry.
- For the alternative way to create users in step#11 using the import script, see
- The user groups created in step#12 is used when you create the authorization profile.
- MultiExcerpt named 'rsso_config_kerberos' was not found
To create or edit an authorization profile with Kerberos users in the Presentation Server
- Log in to the TrueSight console as a Super Admin.
- Navigate to Administration>Authorization Profiles.
- Create a new authorization profile or edit an existing authorization profile to associate the user groups.
Select a tenant other than the * (asterisk) tenant that you configured in Remedy Single Sign-On for Kerberos users and select Edit under User Groups.
Do not select the * (asterisk) tenant for the Kerberos users.
- Click Add and select the Kerberos user group from the list of user groups.
- Select the required roles from the list roles.
- (Optional) Select the required objects from the list of object.
- Select OK and then Save.
- Select Yes to confirm changes to the authorization profile.
- Log out of the TrueSight console.
- Configure the browsers for Kerberos authentication to work.
Log in to the TrueSight console as a Kerberos user.
A two-step authentication screen is displayed.
Type the Kerberos realm Application Domain name and click Submit.
The Kerberos login screen is displayed.
- Type the Kerberos login credentials and click Login.
The TrueSight console is displayed.
Configuring the browsers
After you have configured the Active Directory and Kerberos authentication settings, you must make sure that the browser on a user's system is configured to use Kerberos authentication. Ensure that the browser is not on the same computer on which you have installed Remedy SSO server.
Google Chrome also supports Kerberos authentication. If you have configured Internet Explorer, then no additional settings are required for Google Chrome because it uses Internet Explorer settings.
Configuring Internet Explorer
- Navigate to Tools > Internet Options > Advanced.
- On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).
- On the Security tab, select Local Intranet.
- Click Custom Level.
- In the User Authentication/Logon section, select Automatic logon only in Intranet zone.
- Click OK.
- Click Sites and select all check boxes.
- Click Advanced and add the Remedy SSO service website to the local zone (the website might be already added). For example, sample.bmc.com.
- Click Add.
- Click OK for all pop-ups.
Configuring Mozilla Firefox
- Enter the following URL: about:config.
- Click I'll be careful, I promise!
- Double-click the Preference Name: network.negotiate-auth.trusted-uris.
- Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com.
- Double-click the Preference Name: network.automatic-ntlm-auth.trusted-uris.
- Add the fully qualified domain name (FQDN) of the host, for example, sample.bmc.com.
- Click OK.