Kerberos Authentication

The Kerberos Authentication resource template represents a Kerberos authentication service.

SAML Options

SAML assertions are accessed from a security context and can be propagated between components to achieve single sign-on

Property Required? Editable? Accepts SVars? Description
Validity of SAML Tokens (s) N Y Y The duration of the validity of the SAML tokens.

Default: 600 s.

Signer of SAML Tokens N Y Y The name of an Identity Provider resource that identifies the signer of the SAML tokens.

Configuration File

Property Editable? Required? Accepts SVars? Description
Kerberos Realm N Y N The Kerberos realm.

Default: None.

Key Distribution Center N Y N The Kerberos key distribution center.

Default: None.

Kerberos Configuration File Option N Y N The method for specifying the location of the Kerberos configuration file. One of:
  • System Specific Default Location - Use the system-specific default location.
  • Custom Configuration File - Use a custom configuration file. Enables the Custom Configuration File Name field.
  • Generated - Use a generated configuration file. Enables the Generated Configuration File field and all other fields whose values are used in generating the configuration file.

Default: System Specific Default Location.

Custom Configuration File Name Y Y Y The fully-qualified path to the configuration file.

Default: None.

Generated Configuration File Name Y Y Y The fully-qualified path to which the generated configuration file is saved.

Default: None.

Default DNS Domain Y Y Y The default DNS domain to which the Kerberos realm belongs.

Default: None.

Addressless Tickets Y N N Indicate that initial Kerberos ticket will be addressless.

Default: Checked.

Proxiable Tickets Y N N Indicate that initial Kerberos ticket will be proxiable.

Default: Checked.

Forwardable Tickets Y N N Indicate that initial Kerberos ticket will be forwardable.

Default: Unchecked.

Clock Skew(s) Y N Y The maximum allowable amount of clock skew before a Kerberos message is assumed to be invalid.

Default: 600.

Ticket Lifetime(h) Y N Y The lifetime for initial tickets.

Default: 24.

Renew Lifetime(h) Y N Y The renewable lifetime for initial tickets.

Default: None.

Client TGS Encryption Y N N The encryption types to use for the session key in the ticket granting ticket.

Default: aes128-cts-hmac-sha1-96, aes128-cts, des3-cbc-sha1.

Client Ticket Encryption Y N N The encryption types to use for the session key in the ticket granting ticket.

Default: aes128-cts-hmac-sha1-96, aes128-cts, des3-cbc-sha1.

Service Ticket Encryption Y N N The encryption types to use for the session key in service tickets.

Default: aes128-cts-hmac-sha1-96, aes128-cts, des3-cbc-sha1.

Lookup DNS for KDC Y N N Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if the KDC is not the default realm.

Default: Checked.

Lookup DNS for Realm Y N N Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host if it is not the default realm.

Default: Unchecked.

Advanced

Property Editable? Required? Accepts SVars? Description
Login Module Class Y N Y The class that implements authentication for users using Kerberos authentication.

Default: com.sun.security.auth.module.Krb5LoginModule

Refresh KRB5 Configuration Y N N Indicate that you want the configuration to be refreshed before the login authentication method is invoked.

Default: Unchecked.

Renew TGT Y N N Indicate that you want to renew ticket granting tickets. If checked, the Use Ticket Cache checkbox is checked and the Ticket Cache Name field is enabled.

Default: Unchecked.

Use Ticket Cache Y N N Indicate that you want the ticket granting tickets to be obtained from the ticket cache.

Default: Unchecked.

Ticket Cache Name Y When Use Ticket Cache is checked. Y The name of the ticket cache that contains ticket granting tickets.

Default: None.

Use Key Tab Y N N Indicate that the principal's key should be obtained from the keytab. When checked, the Keytab Filename field is enabled. If Keytab Filename field is not set, the keytab is obtained from the Kerberos configuration file.

Default: Unchecked.

Key Tab Filename Y When Use Key Tab is checked Y The file name of the keytab.

Default: None.

Store Key Y N N Indicate that the principal's key should be stored in the subject's private credentials.

Default: Checked.

Principal Name Y N Y The name of the principal.

Default: None.