Setting up Kerberos authentication in Remedy SSO

Remedy Single Sign-On (Remedy SSO) supports Kerberos authentication.You can configure the Remedy Single Sign-On server to authenticate TrueSight Operations Management users through a Kerberos authentication.

The following topics help you to perform the above tasks in Remedy SSO and create an authorization profile in the TrueSight console:


Related topics

Configuring tenants in Remedy SSO

To enable multi-tenancy in Presentation Server

Managing-authorization-profiles
Role-based access

Before you begin

  • You must have installed and configured the Remedy SSO to work with the Presentation Server and its component products. For details, see Planning to deploy Remedy SSO and Installing Remedy Single Sign-On.

  • You must have created an equivalent local user(and its associated local usergroup) for every Kerberos user that needs to log into the Presentation Server. This is required because the Remedy SSO server cannot obtain usergroup information from the Kerberos identity provider for the successfully logged in Kerberos user. Therefore, you need to create an equivalent local user with the exact name as the Kerberos user and associate that local user with the desired local usergroup. For details on creating local users and usergroups in Remedy SSO using the import utility, perform the Migrating internal user data from Atrium SSO to Remedy SSO procedure.

  • You must have added a non-default tenant (realm) in addition to the default * tenant (realm). Configuring-tenants-for-the-Presentation-Server-in-Remedy-SSO.

  • You must have configured a multi-tenant environment by enabling the msp parameter. For enabling multi-tenancy, see To enable multi-tenancy in Presentation Server.

    Note

    Kerberos cannot be configured using the * (default realm) tenant.

  • Create a service account in Active Directory and configure the Service Principal Name (SPN)
  • Obtain the following information:
    • Host name of the Key Distribution Center (KDC)
    • Kerberos realm created for Remedy SSO on Key Distribution Center
    • Service account name for Remedy SSO
    • Service account password if SPN credential type is to be used
    • Keytab file if keytab credential type is to be used

Configuring Active Directory  as an IdP for Kerberos

To set up Kerberos authentication on your Remedy Single Sign-On server, you must first configure the identity provider (IdP) for Kerberos authentication. To configuring Active Directory as an IdP, perform the steps mentioned in Configuring Active Directory as an identity provider for Kerberos authentication topic.


Configuring Kerberos authentication in Remedy SSO for the TrueSight Presentation Server

Perform the following procedures to configure the Kerberos authentication for TrueSight Presentation Server:

To configure the Kerberos authentication in Remedy SSO for the TrueSight Presentation Server

  1. Log in to the Remedy SSO Admin console.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  3. In the Authentication Type field, click KERBEROS.

  4. Enter the Kerberos details. For more information on parameters, see Kerberos authentication parameters.

    Important

    When you configure the Kerberos authentication parameters for the Presentation Server, you must set the User ID Transformation field. For example, if your User ID Format value is domain\user or user@domain, you must set the User ID Transformation to RemoveDomain.

  5. Click Test to verify the settings.
  6. Click Save.
  7. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  8. In the Authentication Type field, click Kerberos and click Enable Chaining Mode.
  9. Click Add Authentication.
  10. In the Authentication Type field, click LOCAL.
  11. Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
  12. Create users and user groups for the LOCAL authentication. 
    The users in LOCAL should be exactly same as the users in Kerberos identity provider.
    Alternatively, the users can also be created using import script under the migration utility.
  13. Associate users to the user groups.
  14. Click Save.
Important

 Add the LOCAL authentication entry below the Kerberos authentication entry, and do not promote or move the LOCAL entry above the Kerberos entry.

Notes

Configuring a realm and browser settings for Kerberos authentication

After the identity provider (IdP) administrator has configured the IdP for Kerberos authentication, you can do the following:

To create or edit an authorization profile with Kerberos users in the Presentation Server

  1. Log in to the TrueSight console as a Super Admin.
  2. Navigate to Administration>Authorization Profiles.
  3. Create a new authorization profile or edit an existing authorization profile to associate the user groups.

  4. Select a tenant other than the * (asterisk) tenant that you configured in Remedy Single Sign-On for Kerberos users and select Edit under User Groups

    Note

    Do not select the * (asterisk) tenant for the Kerberos users.

    authprofile_kerb_113.png

  5. Click Add and select the Kerberos user group from the list of user groups.
  6. Select the required roles from the list roles.
  7. (Optional) Select the required objects from the list of object.
  8. Select OK and then Save.
  9. Select Yes to confirm changes to the authorization profile.
  10. Log out of the TrueSight console.

  11. Configure the browsers for Kerberos authentication to work. For more information, see Configuring browser settings for Kerberos authentication.

  12. Log in to the TrueSight console as a Kerberos user.
    A two-step authentication screen is displayed.
  13. Type the Kerberos realm Application Domain name and click Submit.
    The Kerberos login screen is displayed.
  14. Type the Kerberos login credentials and click Login.
    The TrueSight console is displayed.


Related topics

Transforming User ID to match Login IDTroubleshooting authentication issues

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*