Kerberos requires configuration in Windows (KDC and Active Directory), the MSS Administrative Console, and your browser.
To configure Windows Authentication - Kerberos support, certain steps must first be done on the KDC: create a service account, assign an SPN, and create a keytab.
Open Active Directory Users and Computers by clicking Start | Administrative Tools | Active Directory Users and Computers.
Select the Active Directory domain in the menu on the left.
Select the New User action to display the New User wizard.
In the Full name field, type the name of your MSS deployment service account (such as my-mss-deployment).
In the User logon name field, type the name of your MSS deployment used in step 4.
Click Next.
Assign a password to this service account. Be sure to take note of this password because it will be needed later.
Uncheck User must change password at next logon.
Check Password never expires.
Click Next.
Click Finish.
Open a command prompt with Administrator rights.
To verify no duplicate SPN entries exist, type the command setspn -X.
Type the command setspn -A HTTP/<fully-qualified-name-of-mss-server> <service-account-name>
Example: setspn -A HTTP/my-mss-server.my-company.com my-mss-deployment
To verify the SPN was successfully added, type the command setspn -L <service-account-name>
For further help on the spn command, use the setspn /help command.
Open a command prompt with Administrator rights.
Type the command:
ktpass -princ HTTP/<fully-qualified-name-of-mss-server>@<active-directory-domain> -mapuser <service-account-name> -pass <service-account-password> -ptype KRB5_NT_PRINCIPAL -crypto ALL -out <service-account-name>.keytab
Example:
ktpass -princ HTTP/my-mss-server.my-company.com@MYDOMAIN.COM -mapuser my-mss-deployment@MYDOMAIN.COM -pass password -ptype KRB5_NT_PRINCIPAL -crypto ALL -out my-mss-deployment.keytab
Make sure the keytab file that is created is available when configuring Windows Authentication - Kerberos in the MSS Administrative Console.
Notes:
The keytab file contains sensitive data, so be sure to protect it accordingly.
You can use any name for the keytab file.
If setting up a cluster of MSS servers, this keytab file with a single SPN is all that is needed.
See Configuring Kerberos for Clustered Servers for further details.
After enabling Kerberos and configuring the KDC and Active Directory to generate the keytab file, you must configure Kerberos in the MSS Administrative Console. Following these steps:
Navigate to Configure Settings - Authentication & Authorization and click Windows Authentication - Kerberos.
Select the desired Authorization method.
In the Kerberos Configuration section, enter the following:
Realm - The name of your realm or domain name. For example, MYCOMPANY.COM.
Service Principal Name (SPN) - The SPN created for your MSS instance. Enter the SPN using the indicated format: HTTP/<fully-qualified-domain-name>@<REALM-NAME>.
Key Distribution Center (KDC) - Specify the KDC or domain controller host name
Port - Enter the KDC port if different from the default of 88.
Click IMPORT to upload the keytab file generated on the KDC. This file must be available on the system used to access the MSS Administrative Console.
Click TEST CONNECTION to test that the KDC can be accessed.
In the LDAP Servers section, click ADD to configure the Active Directory used by the KDC.
(See LDAP Configuration for further details).
Click Apply.
Notes:
The SPN must be the SPN used when configuring the KDC.
The SPN must be in the keytab file that is uploaded.
You must configure an LDAP server with Windows Active Directory as the Server type.
Active Directory is the only supported LDAP Server type for Windows Authentication - Kerberos.
Now that your single MSS server is configured for Windows Authentication - Kerberos, it is a good idea to verify that the configuration is working correctly.
Steps to verify:
Use a client system that is a member of the Active Directory domain.
Log onto the client system using the credentials of a user that is a member of the Active Directory.
If not already done, configure your browser for Kerberos. Refer to your browser’s help for instructions on how to enable Kerberos.
Once configured for Kerberos, use that browser to access the url:
https://<fully-qualified-mss-server>:9443/osp/a/hc/auth/app
To verify your Kerberos configuration:
When configured correctly, you should see that the user logged into the client machine is logged into the web application without being prompted for any credentials.
When not configured correctly, you may see a prompt for credentials indicating that LDAP fallback has occurred, or you may encounter an error message. If this happens, see Troubleshooting Kerberos Configuration for assistance.
Notes:
When using Kerberos authentication for Reflection Desktop clients, the browser on the client system needs to be configured, as mentioned in step 3 above.
Related topics