This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Generating a keytab file for the service principal

A keytab file is used to hold the SPN credentials for communicating with the KDC or AD Domain Controller. This file contains sensitive information used by the BMC Atrium Single Sign-On servers when working with the Key Distribution Center (KDC) and Active Directory (AD). For MIT Kerberos, the ktadd command is used to add sensitive information to the keytab file and for Active Directory, the ktpass command is used to create the keytab file and to map the Kerberos service name to the Active Directory identity.

Note

Anyone with read permissions to a keytab file can use all of the keys it contains. Permissions to keytab files must be restricted and monitored.

To generate a keytab file for Active Directory

If you are authenticating Kerberos using Active Directory for authentication, log on to the domain controller computer as a user with administrator permissions and perform the following steps.

  1. Generate the keytab file.
    Use the ktpass on the command line utility to export the keytab file. By running the following ktpass command, you generate a keytab file and create a mapping that associates the Kerberos service name with the identity in Active Directory.

    ktpass -out <file> -mapuser <user> -princ HTTP/<host>@<DOMAIN> -pass <password> -ptype KRB5_NT_PRINCIPAL -target <DOMAIN> -kvno 0

    In this example, the following definitions apply:

    • <file> is the name of the keytab file that you are generating.
    • <user> logon name of the user you have created in active directory for authentication. 
    • <host> is the fully qualified domain name (FQDN) of the host on which BMC Atrium SSO server runs. In case of BMC Atrium Single Sign-On HA mode, <host> should be a load balancer FQDN.
    • <password> is the password of the principal account (user) that you have created in active directory for authentication.
    • <DOMAIN> is the Active Directory domain name.

     

    Notes

    • You can also modify the hostname through the hosts file. If you do so, you might need to reboot the browser and the system for the name change to take effect.
    • The internet domain and Active Directory domain are different domains. The internet domain is used to form a hierarchy of computer names for mapping a computer name to a host address. The Active Directory domain is used for grouping users for authentication purposes, and it maps to a Kerberos realm. The Active Directory domain can be also be different from the BMC Atrium SSO internet domain.
    • You might experience a Kerberos authentication issue if '/kvno 0' is not specified in the ktpass command. For more information, see Invalid-KVNO-for-Kerberos-authentication.

     

    Service names are not case sensitive for Active Directory, but they are case sensitive for Kerberos. However, you may use the following conventions:

    • Kerberos realms (and Active Directory Domains) are written in uppercase.
    • Hostnames are written in lowercase.
    • Database lookups are case sensitive.

     

The ktpass command automatically assigns the HTTP/<host> SPN to the user.

Note

The case-sensitive constraint means that the principal names expressed in the mappings must be written using the same case as those returned by a domain-name lookup. The Active Directory is not case sensitive, while Kerberos is case sensitive.

ktpass command example

C:\>ktpass -out ssohost.keytab -mapuser atriumsso -princ HTTP/sample-host.bmc.com@DOMAIN.COM -pass atriumSs0service -ptype KRB5_NT_PRINCIPAL /Target DOMAIN.COM /kvno 0


This example illustrates the best practice for the components of the SPN:

  • HTTP—All uppercase letters
  • sample-host.bmc.com—All lowercase letters.
  • DOMAIN.COM—All uppercase letters.

In addition, note that the user name does not contain any spaces.

 

To generate a keytab for MIT Kerberos

If you are using MIT Kerberos for authentication, log on to the domain controller computer as a user with administrator permissions and perform the following steps.

Use the ktadd on the command line utility to generate the keytab file.

ktadd -k <file> HTTP/<host>@<DOMAIN>

 In this example, the following definitions apply:

  • <file> is the name of the keytab file that you are generating.
  • <SPN> is the user name of the identity for the BMC Atrium Single Sign-On service.
  • <host> is the fully qualified domain name (FQDN) of the host on which BMC Atrium SSO server runs. In case of BMC Atrium Single Sign-On HA mode, <host> should be a load balancer FQDN.
  • <DOMAIN> is the domain name.

 

ktadd command example

C:\>ktadd -k sso.keytab HTTP/sample-host.bmc.com@DOMAIN.COM

This example illustrates the best practice for the components of the SPN:

  • HTTP—All uppercase letters