Configuring an Authentication Service for AD Kerberos authentication

Use this procedure to configure a TrueSight Server Automation Authentication Service so TrueSight Server Automation users can authenticate using the AD/Kerberos user credentials.

To configure an Authentication Service for AD/Kerberos authentication

The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.

Note

When you specify a domain name in any of the following steps, you must use uppercase letters. You might want to review the diagram in Sample domain structure for an overview of the domain names and host names used in the examples in this topic.

  1. If you have not done so already, perform the following prerequisite procedure: Registering an Authentication Service in an Active Directory Domain.
  2. Review the information that is needed to perform subsequent steps. See Required-information-for-configuring-AD-Kerberos.
  3. Copy the keytab file to the Application Server.
  4. Obtain the host name of an Active Directory KDC for the service principal's realm. See Locating-the-Active-Directory-KDC-for-the-service-principal-s-domain.
  5. Create the blappserv_krb5.conf file, which provides essential configuration information.
  6. Create the blappserv_login.conf file (AD Kerberos), which provides the location of the keytab file.
  7. Configure the Authentication Service to support Kerberos. See Defining-Authentication-Service-settings-for-AD-Kerberos.
  8. Add user names based on Kerberos naming conventions to the RBAC user database. See Cross-registering users in the TrueSight Server Automation database (AD Kerberos).
  9. If you are using Network Shell to communicate directly with agents, set up a Network Shell proxy server to manage that traffic.
  10. Add users to built-in roles.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*