Configuring TDV for Use with Kerberos Authentication
The Studio Configuration window lets you map Windows domains to LDAP domains. The mappings link authenticated users to the appropriate external group. Authentication is performed by the Kerberos system. Authorization to use TDV system, shared, and published resources depends on privileges assigned to users either directly or through their membership in LDAP groups. Kerberos-authenticated users with LDAP group affiliations are implicitly granted only those user rights and privileges that have been explicitly associated with the group.
By default all group and user rights and privileges are set to their most restrictive values. Rights and privileges must be set explicitly for Kerberos authenticated users to gain implicit rights and privileges by LDAP group membership. For further information, see the TDV User Guide.
To configure TDV for use with Kerberos authentication
1. Open Manager in a Web browser using a TDV administrative login that has Read and Modify All Users rights.
2. Choose SECURITY tab > Domain Management to access the DOMAIN MANAGEMENT page.
3. Add a domain and its LDAP-defined information.
TDV requires an administrative login to view externally available groups on the LDAP server.
4. Add external LDAP groups (using the Edit External Groups button) from the configured domain.
5. Add a Windows Registry Key to enable Ticket-Granting-Ticket (TGT) Session Keys.
6. Change the allowtgtsessionkey registry REG_DWORD value to 1 to include a session key in the TGT.
For Windows XP and Windows 2000, the registry location of allowtgtsessionkey is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
For Windows 2003 and Windows Vista, the registry location of allowtgtsessionkey is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Parameters
A value of 1 requires that a session key be returned with the TGT, and enables use of Kerberos TGT sessions.