Configuring Kerberos Authentication for TIBCO ActiveMatrix Policy Director

This task helps you configure Kerberos Authentication for TIBCO ActiveMatrix Policy Director. ActiveMatrix Policy Director supports Microsoft Active Directory 2008. Before completing these steps, you must enable Microsoft Active Directory to act as the Kerberos Distribution Center. Please refer to the Microsoft documentation to complete the steps on setting up Kerberos Authentication for Single Sign-On.

Procedure

Click Shared Objects > Resource Templates.
The Resource Templates table is displayed.
Click .
The Add Resource Template dialog is displayed.
From the Type drop-down list, select Kerberos Authentication.
On SAML Options tab, specify the following:
1. Validity of SAML Tokens in seconds.
2. Signer of SAML Tokens.
On Configuration File tab, specify the following:
1. Kerberos Realm: Specify the Kerberos Realm name mentioned in the Kerberos .ini file on your system.
2. Kerberos Distribution Center: Specify the IP Address mentioned in the Kerberos .ini file.
3. Kerberos Configuration File Option: Specify the Kerberos Configuration file location. You can either specify a system specific file location, or specify a custom file location, or generate your own configuration file.
If you do not have the Kerberos Initialization file (for example, C:\winnt\krb.ini) in your system, Microsoft Active Directory will only act as an LDAP service and not as a Kerberos Domain Controller.
Click Advanced tab. Specify the following:
1. Module Class
2. Principal Name
The Principal Name can be optional as it is generic at this stage. The right place to specify the Principal Name is when you define Authentication by Kerberos Governance Control template.
Check Keytab. If you are using server-side authentication, ensure that you check the Keytab option. If not, the session ticket is not generated. This field is optional when you are using client-side authentication. In addition to these steps, enable your browser to pass SPNEGO tokens by selecting the Enable Integrated Windows Authentication option on the Advanced tab of your browser and adding the site to the list of Trusted Sites.