Ensure that Prerequisites for Configuring Kerberos Authentication are met.
On the Home page, click Identity Servers > [cluster name] > Authentication > Classes > Plus icon.
Under General, click Kerberos.
Specify the following details:
|
Field |
Description |
|---|---|
|
Class Name |
Name of the class that you can use to identify this class. |
|
Java Class Path |
Java Class Path. For example, com.novell.nidp.authentication.local.KerberosClass |
|
Service Principal Name (SPN) |
Specify the value of the servicePrincipalName attribute of the Identity Server user. For this example configuration, this is HTTP/amser.nam.example.com. |
|
Kerberos Realm |
Specify the name of the Kerberos realm. The default value for this realm is the domain name of the Active Directory server, entered in all capitals. The value in this field is case-sensitive. For this example configuration, this is AD.EXAMPLE.COM. |
|
JAAS File Path |
Verify the default path. This must be the same path to which you copied the keytab file (see Step 2 in Configuring the Keytab File) and end with the name of the configuration file, bcsLogin.conf. |
|
Kerberos KDC |
Specify the IP address of KDC. If multiple KDCs are present for fail-over support, then specify the IP addresses separated by colon (:). You can configure up to four IP addresses. If a L4 switch is configured for load balancing among KDCs, then specify the virtual IP address of the L4 switch in this field. |
|
User Attribute |
Specify the name of the Active Directory attribute that combines the cn of the user with the DNS domain name to form its value. It is an alternate name for user login. Accept the default value unless you have set up a different attribute. |
(Conditional) If you have configured your users to have multiple User Principal Names (UPN) so they can log in using different names (such as jdoe@abc.com, jdoe@bcd.com, and jdoe@cde.com), click New, specify the suffix (such as @abc.com), then click OK.
Click Save.
IMPORTANT:You must create only one Kerberos class. This is caused by a limitation in the underlying Sun JGSS.
On the Home page, click Identity Servers > [cluster name] > Authentication > Methods > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name that you can use to identify this method. |
|
Class |
Select the class that you created for Kerberos. |
|
User Store |
Select Active Directory. If you have only one installed user store, <Default User Store> can be used. If you have multiple user stores, Active Directory must be in this list (or if it is configured to be the default user store, <Default User Store> must be in this list). |
NOTE:The testing procedure to verify Kerberos authentication depends on whether Active Directory is configured as the default user store. See Step 12.
You can configure the following properties to be added to method configuration while using the Kerberos class for the PAC support:
PacAvailable:The default value for PacAvailable is false. If PacAvailable is set to true, then Identity Server tries to fetch and resolves the PAC/Group's Object SID (for example, S-1-5-21-984308178-4145981665-1136610315-1134) from the Kerberos ticket.
ResolvedGroupNames: The default value for ResolvedGroupNames is false. If ResolvedGroupNames is set to true, then Identity Server tries to resolve the PAC/Groups Object SID(s) to a group name (for example, TempSecurityGroup2) via LDAP calls to AD, based on the user store settings. If the user store directory is not Active Directory, the Object SIDs of the PAC will not be resolved, and the object SIDs are just stored.
ExtendedParameter: This is configured by the administrator. If there is no value configured for the ExtendedParameter property, the default value KerbPACGroups is considered if the property is not added. The ExtendedParameter property is used to define the External Parameter Risk Rule.
For instance, based on the group name’s availability in the ExtendedParameter property, the risk policies can be configured. The user is authenticated in case of low risk. In case of high risk, a step-up method is followed. The ExtendedParameter defined in the Kerberos method is used to store the Kerberos PAC info. This parameter is used in ExtendedParameter RBA Rule to check the availability of the PAC for the user.
NOTE:The Kerberos PAC enhancement leverages the risk-based post-authentication scenario.
Click Save.
On the Home page, click Identity Servers > [cluster name] > Authentication > Contracts > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name that you can use to identify this method. |
|
URI |
Specify a value that uniquely identifies the contract from all other contracts. |
|
Authentication Methods |
Select the Kerberos method. |
You do not need to configure other contract options.
Click Save.
(Optional) To use the procedure that verifies the authentication configuration, make the Active Directory user store as the default user store.
On the Home page, click Identity Servers > [cluster name] > Configuration > Defaults.
Specify the following details:
|
Field |
Description |
|---|---|
|
Default User Store |
Select the name of your Active Directory store |
|
Default Authentication Contract |
Select the name of your Kerberos contract |
Click Save.
This allows you to log in directly to Identity Server by using the Kerberos contract. If you have already logged in to the Active Directory domain on the Windows machine, single sign-on is enabled and you are not prompted to log in to Identity Server.
On the Identity Servers page, click Update All (next to the number of servers).
Wait until the Health icon turns green. Click the Refresh icon to update the page.
If you want to configure Access Gateways to use the Kerberos contract, update these devices so that the Kerberos contract is available.
Continue with Creating the bcsLogin Configuration File.