Configuring Pure Kerberos Authentication
The following is an overview of the process:
On each Manager, there is a user that is a client of the KDC on the DC. This must be a user on the Windows domain. This can be an existing user, or a new user can be created. Also, this user does not need to be the same user who runs the Manager process, although it can be.
A Service Principal Name (SPN) is created on the KDC. This is the name by which a client uniquely identifies an instance of a service. It consists of the user name and Manager hostname. There might be more than one per Manager; for example, one for the fully-qualified hostname, one for the short name, and additional ones for aliases if any.
A keytab file is created for the user and placed on the Manager’s file system. It contains the user credentials, and allows that user to use the KDC.
The Manager is then configured to use the realm, given the keytab location and DC hostname.
Note that it is not necessary for the machine to be on the domain. While it is true for a Windows Manager, there is no requirement for a UNIX Manager to be added to the domain.
To configure your Manager, you need the following information from your IT department:
• | The name of your realm |
• | The fully-qualified hostname of the DC |
The following table lists the various values that are used in the following procedure. Substitute your own values for the following:
Setting |
Value |
Realm Name |
|
DC Fully Qualified Hostname |
|
Manager Fully Qualified Hostname |
|
GridServer Username |
|
Manager Configuration
To configure your Manager for pure Kerberos authentication:
1. | Map one or more Server Principal Names. Log in to dc.domain.com . Open a console, and execute the following to create SPNs for the short and fully qualified names: |
setspn -A HTTP/manager
gs_user
setspn -A HTTP/
manager.domain.com
gs_user
2. | Create the keytab file: |
From that same DC, generate a keytab:
ktpass \
/princ HTTP/manager.domain.com
@
REALM.NAME
\
/ptype KRB5_NT_PRINCIPAL \
/crypto all \
/mapusergs_user
@
REALM.NAME
/pass {gs_user
password
}\
/kvno 0\
/outGridServerUser
.keytab \
Move this file to your Manager, and place it in a location and set permissions such that only the user that runs the Manager can read it. Because it contains credential information, it must be kept secure.
3. | The KDC client requires a random sequence to protect the session. You can generate one using the openssl command line tool by executing the following command: |
openssl rand -hex 12
4. | Edit the DS_MANAGER/webapps/livecluster/WEB-INF/web.xml file: |
Uncomment the kerberosFilter
section.
Set the param-value of kerberos.principal
to
HTTP/
manager.domain.com@REALM.NAME
Set the param-value of kerberos.keytab
to the location of the keytab file on your Manager.
Set the param-value of signature.secret
to the random sequence that was just generated.
Driver Configuration
For all Drivers, the DSNegotiateEnabled
property specifies if Negotiate authentication is used. Set this to true in the driver.properties
file or by using the DriverManager
API to enable Negotiate authentication. Otherwise user name and password is used.
Also, the following must be configured, depending on the platform and Driver:
All Windows
• | You must enable TGT on the system running the Driver. For more information, see https://support.microsoft.com/en-us/topic/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server-1a6632ac-1599-0a7c-550a-a754796c291e . |
• | The allowtgtsessionkey registry key must be set. Add or change this registry value: |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_SZ
Value Data: 1
• | The Driver user cannot be a member of the Local Admin group. |
All Java Drivers
Java includes support for Kerberos authentication natively. The standard method of doing this is via the login.conf
and krb5.conf
files.
Convenience properties have also been added to the driver.properties
file so that you do not need to set these files up:
• | DSKerberosRealm : the name of the kerberos realm. For example, REALM.NAME |
• | DSKerberosKDC : The hostname of the KDC. For example, dc.domain.com |
(Note that if your application is already set up to use Kerberos via standard methods, you do not need to set these two values.)
Windows C++ and .NET Drivers
Create a file called krb5.ini
and put it in the c:\windows
directory:
This file must contain the following:
[libdefaults]
default_tgs_enctypes = AES256-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
[domain_realm]
.domain.com =
REALM.NAME
dc =
REALM.NAME
dc.domain.com =
REALM.NAME
UNIX C++ and Java Drivers
UNIX Kerberos clients use a ticket cache. This ticket cache must be populated prior to running the Driver.
This is done by executing the kinit
command, which prompts the user for their password, and populates the cache with a ticket.
Browser Configuration
Users’ browsers must be configured to use Negotiate authentication. For example, in Microsoft Edge, you add the URL to the Enterprise Mode site list. In Firefox, you use the network.negotiate-auth.trusted-uris
config parameter. See your browser’s documentation for details.
If a user’s browser is not configured and they attempt to log in to the Administration Tool, the browser presents them with a challenge popup screen, and they can log in manually.