Configuring Kerberos Authentication Service Provider
Kerberos network authentication protocol is designed to provide strong authentication for client-server applications by using secret-key cryptography.
Prerequisites
TIBCO ActiveMatrix Policy Director Governance supports Microsoft Active Directory 2008.
Enable Microsoft Active Directory to act as the Kerberos Distribution Center. Refer to Microsoft documentation to set up Kerberos Authentication for Single Sign-On.
Procedure
Click
Shared Objects > Resource Templates.
The Resource Templates table is displayed.
Click
.
The Add Resource Template dialog is displayed.
From the Type drop-down list, select
Kerberos Authentication.
On SAML Options tab, specify the following:
Validity of SAML Tokens in seconds.
Signer of SAML Tokens.
On Configuration File tab, specify the following:
Kerberos Realm: Specify the Kerberos Realm name mentioned in the Kerberos
.ini file or
.conf
file on your system.
Kerberos Distribution Center: Specify the IP Address mentioned in the Kerberos .ini file.
Kerberos Configuration File Option: Specify the Kerberos Configuration file location. You can either specify a system specific file location, or specify a custom file location, or generate your own configuration file.
If you do not have the Kerberos Initialization file (for example,
C:\winnt\krb.ini) in your system, Microsoft Active Directory will only act as an LDAP service and not as a Kerberos Domain Controller.
Click
Advanced tab. Specify the following:
Module Class
Principal Name
The Principal Name can be optional as it is generic at this stage. The right place to specify the Principal Name is when you define Authentication by Kerberos Governance Control template.
Check
Keytab.
If you are using server-side authentication, ensure that you check the
Keytab option. If not, the session ticket is not generated. This field is optional when you are using client-side authentication.
In addition to these steps, enable your browser to pass SPNEGO tokens by selecting the
Enable Integrated Windows Authentication option on the Advanced tab of your browser and adding the site to the list of Trusted Sites.