Configuring Pure Kerberos Authentication

The following is an overview of the process:

On each Manager, there is a user that is a client of the KDC on the DC. This must be a user on the Windows domain. This can be an existing user, or a new user can be created. Also, this user does not need to be the same user who runs the Manager process, although it can be.

A Service Principal Name (SPN) is created on the KDC. This is the name by which a client uniquely identifies an instance of a service. It consists of the user name and Manager hostname. There might be more than one per Manager; for example, one for the fully-qualified hostname, one for the short name, and additional ones for aliases if any.

A keytab file is created for the user and placed on the Manager’s file system. It contains the user credentials, and allows that user to use the KDC.

The Manager is then configured to use the realm, given the keytab location and DC hostname.

Note that it is not necessary for the machine to be on the domain. While it is true for a Windows Manager, there is no requirement for a UNIX Manager to be added to the domain.

To configure your Manager, you need the following information from your IT department:

The name of your realm
The fully-qualified hostname of the DC

The following table lists the various values that are used in the following procedure. Substitute your own values for the following:

Setting

Value

Realm Name

REALM.NAME

DC Fully Qualified Hostname

dc.domain.com

Manager Fully Qualified Hostname

manager.domain.com

GridServer Username

gs_user

Manager Configuration

To configure your Manager for pure Kerberos authentication:

1. Map one or more Server Principal Names. Log in to dc.domain.com. Open a console, and execute the following to create SPNs for the short and fully qualified names:
setspn -A HTTP/manager gs_user 
setspn -A HTTP/manager.domain.com gs_user
2. Create the keytab file:

From that same DC, generate a keytab:

   ktpass \ 
   /princ HTTP/manager.domain.com@REALM.NAME \
   /ptype KRB5_NT_PRINCIPAL \
   /crypto all \
   /mapuser gs_user@REALM.NAME
   /pass {gs_user password}\
   /kvno 0\
   /out GridServerUser.keytab \

Move this file to your Manager, and place it in a location and set permissions such that only the user that runs the Manager can read it. Because it contains credential information, it must be kept secure.

3. The KDC client requires a random sequence to protect the session. You can generate one using the openssl command line tool by executing the following command:

openssl rand -hex 12

4. Edit the DS_MANAGER/webapps/livecluster/WEB-INF/web.xml file:

Uncomment the kerberosFilter section.

Set the param-value of kerberos.principal to HTTP/manager.domain.com@REALM.NAME

Set the param-value of kerberos.keytab to the location of the keytab file on your Manager.

Set the param-value of signature.secret to the random sequence that was just generated.

Driver Configuration

For all Drivers, the DSNegotiateEnabled property specifies if Negotiate authentication is used. Set this to true in the driver.properties file or by using the DriverManager API to enable Negotiate authentication. Otherwise user name and password is used.

Also, the following must be configured, depending on the platform and Driver:

All Windows

You must enable TGT on the system running the Driver. For more information, see https://support.microsoft.com/en-us/topic/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server-1a6632ac-1599-0a7c-550a-a754796c291e.
The allowtgtsessionkey registry key must be set. Add or change this registry value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: allowtgtsessionkey

Value Type: REG_SZ

Value Data: 1

The Driver user cannot be a member of the Local Admin group.

All Java Drivers

Java includes support for Kerberos authentication natively. The standard method of doing this is via the login.conf and krb5.conf files.

Convenience properties have also been added to the driver.properties file so that you do not need to set these files up:

DSKerberosRealm: the name of the kerberos realm. For example, REALM.NAME
DSKerberosKDC: The hostname of the KDC. For example, dc.domain.com

(Note that if your application is already set up to use Kerberos via standard methods, you do not need to set these two values.)

Windows C++ and .NET Drivers

Create a file called krb5.ini and put it in the c:\windows directory:

This file must contain the following:

[libdefaults]
default_tgs_enctypes = AES256-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
[domain_realm]
.domain.com = REALM.NAME
dc = REALM.NAME
dc.domain.com = REALM.NAME

UNIX C++ and Java Drivers

UNIX Kerberos clients use a ticket cache. This ticket cache must be populated prior to running the Driver.

This is done by executing the kinit command, which prompts the user for their password, and populates the cache with a ticket.

Browser Configuration

Users’ browsers must be configured to use Negotiate authentication. For example, in Microsoft Edge, you add the URL to the Enterprise Mode site list. In Firefox, you use the network.negotiate-auth.trusted-uris config parameter. See your browser’s documentation for details.

If a user’s browser is not configured and they attempt to log in to the Administration Tool, the browser presents them with a challenge popup screen, and they can log in manually.