Phased rollout This version is currently available to SaaS customers only. It will be available to on-premises customers soon.

Configuring Active Directory as an identity provider for Kerberos authentication

To set up Kerberos authentication on your BMC Helix Single Sign-On server, you must first configure the identity provider (IdP) for Kerberos authentication. This topic describes how to configure Active Directory as an IdP. 

Perform the tasks described in this topic to configure Active Directory as an identity provider:

  1. As an Active Directory (AD) administrator, create a service account in Active Directory.
  2. As an AD administrator, add an SPN mapping for the service account.
  3. (Optional) As s a user who has access to the domain controller, generate a keytab file if you want to provide the credentials through a keytab file.

Related topics

Configuring-Kerberos-authentication

Before you begin

As an AD administrator, you must have the following information in place:

  • The user name and password of the service account which will be used by BMC Helix SSO server to connect to the Domain Controller for authentication.
  • The FQDN of the machine where BMC Helix SSO server is installed.
  • You must have administrative permissions to run the ktpass command. 

To create a service account in Active Directory

  1. Go to the Active Directory.
  2. Right click Users > New > User.
  3. Enter the user name and the user logon name in the First name and User logon name fields.
  4. Click Next.
  5. Enter user password in the Password and Confirm password fields.
  6. Select the User cannot change password and Password never expires check boxes.
  7. Click Next.
  8. Click Finish.

To add a Service Principal Name mapping for the service account

In one of the directories on the Active Directory machine, run the following command:

setspn -S HTTP/<HOST> <USER> 

The following table describes the command variables:

Variable

Description

<host>

Fully qualified domain name of the host on which the BMC Helix SSO server runs including the internet domain.

<user>

Logon name of the service account.

Example:

setspn -S HTTP/access.bmc.com remedyssoservice

Important

If the BMC Helix SSO server does not run on default HTTP or HTTPS ports, the port must be registered.

After you run the command,  HTTP/<host> Service Principal Name (SPN) is automatically assigned to the user.

To generate a keytab file

In an appropriate directory on the BMC Helix SSO server, run the following command in the command line interface:

ktpass /out <FILE> /princ HTTP/<HOST>@<DOMAIN> /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0

The following table describes the command variables:

Variable

Description

<file>

Name of the keytab file that will be generated.

<host>

Fully qualified domain name of the host on which BMC Helix SSO server runs including the internet domain.

<domain>

The Active Directory domain name written in uppercase.

<password>

Password of the user.

Example:

ktpass /out c:\remedyssoservice.keytab /princ HTTP/access.example.com /crypto ALL /pass RemedySs0service /ptype KRB5_NT_PRINCIPAL /Target RSSO.COM /kvno 0

A keytab contains the Service Principle Name (SPN) credentials for the BMC Helix SSO server to communicate with the Domain Controller. The clients use the SPN to request a service ticket during the authentication process.

Where to go from here

Configuring-a-realm-for-Kerberos-authentication

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*