This documentation supports the 24.2 and consecutive patch versions of BMC Helix Single Sign-On.To view an earlier version, select the version from the Product version menu.

Configuring a realm for Kerberos authentication

After the identity provider (IdP) administrator has configured the IdP for Kerberos authentication, you can configure your realm for Kerberos authentication.

Before you begin

As a BMC Helix Single Sign-On administrator, perform the following tasks:

  • Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.
  • Obtain the following information:
    • Machine name of the Key Distribution Center.
    • Existing Kerberos realm on the Key Distribution Center.
    • Service account name and service account password for BMC Helix SSO if you plan to use SPN credential type.
    • Keytab file if you plan to use the keytab credential type.

Related topics

Configuring-Kerberos-authentication


Transforming-userID-to-match-login-ID

To configure the Kerberos authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  2. In the Authentication Type field, click KERBEROS.

  3. Enter the required Kerberos details:

    Field

    Description

    KDC Server

    Name of the machine where the Active Directory Domain Controller is hosted.

    Example: ker.114kdc.local

    Kerberos Realm

    Name of the Kerberos realm. You must enter the realm in upper case.
    Example: RSSO.COM

    Service Principal Name (SPN)

    SPN created for BMC Helix SSO server in Active Directory.

    • If keytab is used, provide the full form of the SPN. For example, HTTP/access.bmc.com.
    • If keytab is not used, specify the login name of the integration user.

    Credential Type

    Credential type to be used by BMC Helix SSO server to log on to Active Directory. Select one of the following:

    • SPN Password
    • Keytab File

    SPN Password

    Password for the service account. This field is available only if you select SPN Password in the Credential Type field.

    Keytab File

    Path to the keytabfile. This field is available only if you select Keytab File in the Credential Type field.

    In BMC Helix SSO server cluster environment, each BMC Helix SSO server node must contain the same keytab file and keytab file path.

    UserId Format

    Select one of the following formats from the list to transform the user id after a successful login.

    • user - Retains the User ID
    • user@domain - User ID with the Kerberos domain as suffix
    • domain\user - User ID preceded by the domain

    User ID Transformation

    Options to transform the login IDs provided by the authentication provider to match the user IDs available in the user store. For more information, see Transforming-userID-to-match-login-ID.

    Included IP Range(s)

    The IP address for Kerberos authentication. You can also specify a range of IP addresses separated by a comma.

    Only the clients whose IP address match with the IP addresses configured in this field are authenticated by Kerberos authentication. All other requests coming from the IP addresses that are not configured in this field are passed on to the next IdP in the authentication chain.

    If you do not specify any IP address, BMC Helix SSO server authenticates all the IP addresses using Kerberos authentication.

    The following table provides some of the examples of IP addresses that you can configure:

    Example

    Description

    127.0.0.1

    Single IP address.

    127

    Value for IP address 0.0.0127.

    127.0.0.*

    All IPs from 127.0.0.1 to 127.0.0.255, such as 127.0.0.1, 127.0.0.2, and so on.

    127.0.0.1-255

    A range of IP addresses from 127.0.0.1 to 127.0.0.255.

    127.0.0.1/8

    All IPs from 127.0.0.1 to 127.255.255.255.

    IPv62620:0:2d0:200::7/32

    All IPs from 2620:0:0:0:0:0:0 to 2620:0:ffff:ffff:ffff:ffff:ffff:ffff.

  4. Click Test to verify the settings.
  5. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling-AR-authentication-for-bypassing-other-authentication-methods.
  6. (Optional) Click Enable Chaining Mode to enable authentication chaining. For more information about the authentications that you can chain with LDAP, see Enabling-authentication-chaining-mode.
  7. Click Save.

Where to go from here

Configuring-browser-settings-for-Kerberos-authentication

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*