You can use Kerberos as an authentication method for the identity applications that allow SSO. This also allows users to use Integrated Windows Authentication to log in to the applications. This section provides instructions for configuring Active Directory to use Kerberos for connecting to the identity applications:
Use the Active Directory administration tools to configure Active Directory for Kerberos authentication. You need to create a new Active Directory user account for Identity Governance, Identity Reporting, and Workflow Engine. If Identity Governance, Identity Reporting or Workflow Engine are not on the same server, you must create three accounts. The user account name must use the DNS name of the server that hosts Identity Governance or Identity Reporting or Workflow Engine.
NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.
As an Active Directory administrator, use the Microsoft Management Console (MMC) to create a new user account with the DNS name of the server that hosts Identity Governance or Identity Reporting.
For example, if the DNS name of the server is idgov.mycompany.com, use the following information to create the user:
First name: idgov
User login name: HTTP/idgov.mycompany.com
Pre-windows logon name: idgov
Set password: Specify the appropriate password. For example: Passw0rd.
Password never expires: Select this option.
User must change password at next logon: Do not select this option.
Associate the new user with the Service Principal Name (SPN).
In the Active Directory server, open a cmd shell.
At the command prompt, enter the following:
setspn -A HTTP/DNS_Identity_Governance_server@WINDOWS-DOMAIN userID
For example:
setspn -A HTTP/idgov.mycompany.com@MYCOMPANY.COM idgov
Verify setspn by entering setspn -L userID.
To generate the keytab file, use the ktpass utility:
At the command line prompt, enter the following:
ktpass /out filename.keytab /princ servicePrincipalName /mapuser userPrincipalName /mapop set /pass password /crypto ALL /ptype KRB5_NT_PRINCIPAL
For example:
ktpass /out idgov.keytab /princ HTTP/identity-governance.mycompany.com@MYCOMPANY.COM /mapuser idgov /mapop set /pass Passw0rd /crypto All /ptype KRB5_NT_PRINCIPAL
IMPORTANT:For domain or realm references, use uppercase format. For example, @MYCOMPANY.COM.
Copy the rbpm.keytab file to your Identity Governance server.
An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.
The end user account name must match some attribute value of an eDirectory user to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.
(Optional) Repeat these steps for Identity Reporting if you installed the reporting component on a separate server.
(Optional) Repeat these steps for Workflow Engine if you installed it on a separate server.
Configure the server for Identity Governance, Identity Reporting, or the server for Workflow Engine to accept the Kerberos configuration by proceeding to Section 10.4.2, Configuring the Servers for Identity Governance and its Components.
You must configure your Identity Governance, Identity Reporting, and the Workflow Engine servers to use the Kerberos keytab file and the user account that you created in Active Directory. Ensure that you complete Section 10.4.1, Configuring the Kerberos User Account in Active Directory before proceeding.
NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.
To define your operating system settings for the Kerberos configuration, complete the following steps:
Open the krb5 file in a text editor on the Identity Governance server.
Linux: /etc/krb5.conf
Windows: C:\Windows\krb5.ini
Add the following information to the krb5 file:
[libdefaults] default_realm = WINDOWS-DOMAIN kdc_timesync = 0 forwardable = true proxiable = false [realms] WINDOWS-DOMAIN = { kdc = FQDN Active Directory Server admin_server = FQDN Active Directory Server } [domain_realm] .your.domain = WINDOWS-DOMAIN your.domain = WINDOWS-DOMAIN
For example:
[libdefaults] default_realm = MYCOMPANY.COM kdc_timesync = 0 forwardable = true proxiable = false [realms] MYCOMPANY.COM = { kdc = myadserver.mycompany.com admin_server = myadserver.mycompany.com } [domain_realm] .mycompany.com = MYCOMPANY.COM mycompany.com = MYCOMPANY.COM
Save the changes and close the krb5 file.
To define the Kerberos configuration information for Apache Tomcat, complete the following steps:
Create a sample Kerberos_login.config file on the Identity Governance server where the Apache Tomcat instance is running with the following content:
NOTE:The novlua user needs permissions to create the Kerberos_login.config file.
com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required debug="true" refreshKrb5Config="true" useTicketCache="true" ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache" doNotPrompt="true" principal="HTTP/DNS_Identity_Governance_server@WINDOWS-DOMAIN" useKeyTab="true" keyTab="/absolute_path/filename.keytab" storeKey="true"; };
An example on a Windows server is as follows:
keyTab="c:\\NetIQ\\IdentityGoverance\\apps\\tomcat\\kerberos\\rbpm.keytab"
In the file, specify values for principal and keyTab. For example:
principal="HTTP/idgov.mycompany.com@MYCOMPANY.COM" keyTab="/home/usr/rbpm.keytab"
The value for principal must match the same value that you specified for Kerberos. For more information, see Step 3.
Provide the absolute path of the keytab file on your Identity Governance server. The file does not have to reside in the default directory for Identity Governance.
Refer to the Kerberos_login.config file in JVM java.security file with the following line:
login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config
The path listed is the default installation location for a Linux server.
An example of the java.security file on a Windows server is as follows:
login.config.url.1=file:c:/NetIQ/IdentityManager/apps/tomcat/kerberos/Kerberos_login.config
To specify the authentication method in the Identity Governance Configuration utility, complete the following steps:
Launch the Identity Governance Configuration Update utility on the Identity Governance server. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the Authentication tab.
At the end of the page, click Show Advanced Options.
Under Authentication Method > Method select Kerberos.
In the Mapping attribute name field, specify cn.
Select any of the following options that apply to your environment:
Enable fallback reCAPTCHA and provided the additional required information. For more information, see Section 9.2.5, Configuring OSP to Use Google reCAPTCHA.
Enable fallback two-factor authentication
Use logout landing page
Click OK to save the changes.
Restart Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
(Optional) Repeat these steps for Identity Reporting if you installed it on a separate server.
(Optional) Repeat these steps for Workflow Engine if you installed it on a separate server.
Configure the browsers that end-users use to access the identity applications. For more information, see Section 10.4.3, Configure Browsers to Use Integrated Windows Authentication.
The browsers used to access Identity Governance, Identity Reporting, and Workflow Engine also need to be configured for Integrated Windows Authentication. This section provides instructions for configuring an end-user computer to support single sign-on access using Integrated Windows Authentication.
NOTE:You must perform this procedure for each end-user computer where you want to provide single sign-on access to Identity Governance, Identity Reporting and Workflow Engine.
Log in to the computer where users need single sign-on access.
Open the Internet options control panel.
Click Security.
Click Trusted Sites > Sites.
Add the DNS name of the Identity Governance, Identity Reporting, and Workflow Engine server.
For example: idgov.mycompany.com
Click Add, then click Close.
Click Custom level....
Under User Authentication, select Automatic logon with current user name and password.
Click OK.
In Internet Options, click Advanced.
Under Security, select Enable Integrated Windows Authentication.
Repeat this procedure for each end-user computer where you want to provide single sign-on access to Identity Governance, Identity Reporting., and Workflow Engine.