Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

End-to-end steps for configuring Kerberos authentication with Active Directory

The following topics are provided:

Overview

MIT Kerberos is a trusted third-party authentication service. It provides a centralized authentication server whose function is to authenticate users to servers and servers to users. It uses symmetric encryption with keys shared with the authentication server. Kerberos keeps a database containing the keys of clients and servers, and uses the keys to authenticate one network node to another. Kerberos also generates temporary session keys to be shared by the two parties in a conversation. All communications between the two parties are then encrypted with the session key. This topic describes the process of setting up BMC Atrium Single Sign-On to use Kerberos authentication.

Before you begin

  • To make changes to the Microsoft Windows Active Directory, you must have administrator permissions on the domain controller computer and in the domain itself. To make changes to the BMC Atrium Single Sign-On server, you must also have administrator permissions for the BMC Atrium SSO Admin Console.
  • Ensure that no BMC products have already been integrated with BMC Atrium Single Sign-On.

Configuring Kerberos authentication with Active Directory

Refer to the following topics to configure Kerberos with Active Directory.

Task

Description

1. Understanding how Kerberos works

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. To understand theconceptual framework of Kerberos authentication, see Kerberos-authentication.

2. Setting up Kerberos authentication

Follow the steps necessary for configuring Kerberos authentication with Microsoft Windows Active Directory:

  • Generating a keytab for the service principal
  • Mapping the Kerberos service name
  • Configuring Kerberos module on BMC Atrium Single Sign-On server

For information about performing these tasks, see Configuring-Kerberos-authentication-with-Active-Directory.

Note: To successfully complete the installation, perform the tasks in the sequence shown.

3. Setting up Kerberos authentication for BMC Atrium Single Sign-On running in HA mode

To set up Kerberos authentication when the BMC Atrium Single Sign-On server is running in High Availability (HA) mode, perform the procedure mentioned in Configuring-Kerberos-authentication-in-High-Availability-mode.

4. Chaining Kerberos with other modules

If a complex authentication chain is needed, you can create a certificate chain by using the Realm Editor on the BMC Atrium SSO Admin Console. Perform the procedures mentioned in Chaining-Kerberos-with-other-modules.

Troubleshooting Kerberos authentication

 Refer to the following topics for troubleshooting issues related to Kerberos authentication.

Issue

Description

Problems with krb5.ini

Debug the issue using the topic, krb5-ini-file-issues.

Chained authentication failure for IE

Invalid service principal name

Invalid keytab index number

Enabling debug log in BMC Atrium Single Sign-On server

Enable the debug logs using the topic, Enabling-debug-logging-in-BMC-Atrium-SSO-server.

Enabling Kerberos logging in JVM through system properties

To enable Kerberos logging, set the system property sun.security.krb5.debug to true. This setting allows you to monitor the execution of the Kerberos V5 protocol.

Increasing HTTP header size in Tomcat

A Kerberos service ticket is passed as a header value in the http request. The default maximum header size in Tomcat is 4096 (4KB). At the same time, under some circumstances, the size of the header containing Kerberos service ticket might reach even 28 KB. This large size causes the logon to fail and the browser to display an error message, because Tomcat does not respond to such requests.

To fix this issue, specify a maxHttpHeaderSize attribute on the http connector and set a value (in bytes) that is large enough to accommodate the header size.

Enabling Kerberos logging on a specific computer

Microsoft Windows 2000, Windows Server 2003, and Windows Server 2008 can trace detailed Kerberos events through the event log mechanism. You can use these event logs when you troubleshoot Kerberos, particularly when you need to find service principal name (SPN) lookup problems.

  1. Start Registry Editor (Regedt32.exe).

  2. Add the following registry value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    (If the Parameters subkey does not exist, create it.)

  3. Add the following registry value:
    • Value Name: LogLevel
    • Data Type: REG_DWORD
    • Value: 1

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*