Registering an Authentication Service in an Active Directory domain
This topic provides instructions for administering security at installations where Active Directory (AD) /Kerberos authentication is not already used for TrueSight Server Automation. If you have already set up AD/Kerberos authentication, you can use your existing Kerberos configuration files and modify as necessary based on the descriptions in this section. This topic provides procedures that an administrator of an Active Directory Key Distribution Center (KDC) can use to register the Authentication Service associated with a TrueSight Server Automation Application Server in an Active Directory domain.
To employ AD/Kerberos user credentials for Domain Authentication of end users, perform the following steps:
Step 1: Requirements for the Active Directory server
The following utilities must be installed on the Active Directory server:
Utilities required on Active Directory server
1 BMC recommends using version 5.2.3790.2732 of ktpass.exe.
Step 2: Create an Active Directory user account in the domain of the Authentication Server
This topic provides instructions for creating a user account for the Authentication Service in the domain (that is, the Kerberos realm) where the Authentication Server is running.
- On Microsoft Windows Server (for example, Windows Server 2000 or 2003), select Start > Programs > Administrative Tools > Active Directory Users and Computers.
The Active Directory Users and Computers window appears. - In the left column, expand the domain name for the Authentication Server so that it displays the Users folder.
- Right-click the Users folder and select New > User.
The New Object - User wizard starts. - In the First name field, enter a name, such as blauthsvc and in the User logon name field, enter the name again and click Next. In this example, you would enter blauthsvc again.
- In the Password field, set the password. Be sure to use a password that conforms to the Active Directory password policy.
- Select Password never expires and click Next.
The summary page appears. - Click Finish.
- From the Active Directory Users and Computers window, do the following steps:
- Ensure that the domain name for the Authentication Server is expanded so that it shows the Users folder in the left column.
- Click the Users folder, and then double-click the blauthsvc user in the right column.
The Properties window for that user appears. - Click the Account tab.
- Under Account Options, select Use DES encryption types for this account.
- Click OK.
Step 3: Associate a service principal name (SPN) with the user account
This topic describes how to create a service principal name (SPN) for this instance of the TrueSight Server Automation Authentication Service.
An SPN is a unique identifier for a service on a network that uses Kerberos authentication. It consists of a service class, a host name, and sometimes a port. HTTP SPNs do not require a port. On a network that uses Kerberos authentication, an SPN for the server must be registered under either a built-in computer account (such as NetworkService or LocalSystem) or user account. SPNs are registered for built-in accounts automatically. However, when you run a service under a domain user account, you must manually register the SPN for the account you want to use. To create an SPN, you can use the SetSPN command line utility. For more information about the SetSPN utility, see herein the Microsoft documentation.
The SPN has the following format: <serviceClass>/<instance>
where <serviceClass> identifies the general class of service. There are the service class names, such as www for a web service or ldap for a directory service.
<instance> is a string identifying this particular instance of the TrueSight Server Automation Authentication Service.
Perform the following steps:
Run the following command:
setspn -A blauthsvc/<instance> blauthsvcwhere blauthsvc is used as the <serviceClass> to indicate the TrueSight Server Automation Authentication Service.
<instance> is the instance of the TrueSight Server AutomationAuthentication Service that is associated with this SPN (for example, app4).The final blauthsvc on the command line refers to the user account you just created for the Authentication Service.
It is a convention to set <instance> to a fully qualified host name, but not a requirement. In fact, <instance> does not even have to be associated with a host name. If you later change your Authentication Server for some reason, you can continue to use the same service principal name.- (Applicable for Windows Server 2000 environment) Modify the User Logon name to match the service principal name as follows. (On Windows Server 2003, ktpass does this step automatically.)
- In the Active Directory Users and Computers window, expand the domain name for the TrueSight Server Automation Authentication Server so that it shows the Users folder in the left column.
- Click the Users folder, and then double-click the blauthsvc user in the right column.
The Properties window for that user appears. - Click the Account tab.
Change User logon name from blauthsvc to the instance identifier that you just used with setspn. For example:
blauthsvc/<instance>In this example, you would change it to:
blauthsvc/app4- Click OK.
Step 4: To export and copy the keytab file
The Authentication Server needs a keytab file so it can connect to the Active Directory server through the LDAP protocol and validate a user when refreshing session credentials. This topic describes how to export and copy a keytab file from the Active Directory server.
You must provide the keytab file to the administrator of the Authentication Server for reports.
- Use the ktpass command-line utility to export the keytab file as follows. Run this utility in a directory suitable for writing a file with sensitive data. Do one of the following steps:
In Microsoft Windows Server 2003 environment, enter the following command:
ktpass -out blauthsvc.keytab
-princ blauthsvc/<instance>@<DOMAIN>
-mapuser blauthsvc@<DOMAIN> +rndPass -minPass 33
-ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5<instance> is the instance of the Authentication Server for reports (typically a host name) and <DOMAIN> is the domain where the Authentication Server is running. (This realm or domain appeared next to the User logon name when you created the blauthsvc user.) For example:
ktpass -out blauthsvc.keytab
-princ blauthsvc/app4@SUB2.DEV.MYCOMPANY.COM
-mapuser blauthsvc@SUB2.DEV.MYCOMPANY.COM +rndPass -minPass 33
-ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5In Microsoft Windows Server 2000 environment, enter the following command:
ktpass -out blauthsvc.keytab
-princ blauthsvc/<instance>@<DOMAIN>
-mapuser blauthsvc -pass * -ptype KRB5_NT_PRINCIPAL
-crypto DES-CBC-MD5 -kvno 1
- Provide the following information to the administrator of the Authentication Server:
- The newly created blauthsvc.keytab file. The blauthsvc.keytab file contains key material, so transfer it between systems with care. The Authentication Service needs this keytab to allow users to authenticate.
The SPN used in the keytab file. For example:
blauthsvc/app4The name of the domain (that is, the Kerberos realm) for the Authentication Server. For example:
SUB2.DEV.MYCOMPANY.COM
- Do one of the following steps:
- On UNIX, copy the file to the /br directory.
For example, if TrueSight Smart Reporting for Server Automation is installed in the default location, you would copy the file to the /usr/local/bmc/TSSA-DW/br directory. - On Microsoft Windows, copy the file to the \br directory.
For example, if TrueSight Smart Reporting for Server Automation is installed in the default location, you would copy the file to the C:\Program Files\BMC Software\TSSA-DW\br directory.
- On UNIX, copy the file to the /br directory.