Configuring TDV for Use with Kerberos Authentication

Administration Guide > Configuring Kerberos Single Sign-On > Using Kerberos Authentication with TDV > Configuring TDV for Use with Kerberos Authentication

The Studio Configuration window lets you map Windows domains to LDAP domains. The domain mappings link the authenticated users to the appropriate external group. Authentication is performed by the Kerberos system. Authorization to use TDV system, shared, and published resources depends on privileges assigned to users either directly or through their membership in LDAP groups. Kerberos-authenticated users with LDAP group affiliations are implicitly granted only those user rights and privileges that have been explicitly associated with the group.

By default all group and user rights and privileges are set to their most restrictive values. Rights and privileges must be set explicitly for Kerberos authenticated users to gain implicit rights and privileges by LDAP group membership. For further information, see the TDV User Guide.

Adding Domain and User Group

Follow these steps to add domain and user groups in the TDV Manager for use with Kerberos authentication:

1. Open Manager in a Web browser using a TDV administrative login that has Read and Modify All Users rights.

2. Choose SECURITY tab > Domain Management to access the DOMAIN MANAGEMENT page.

3. Add a domain and its LDAP-defined information.

TDV requires an administrative login to view externally available groups on the LDAP server.

4. Add external LDAP groups (using the Edit External Groups button) from the configured domain.

5. Once the group is created, choose the group, click on Edit Resource Privileges and grant Access Tools and Read All Resources rights.

6. Add a Windows Registry Key to enable Ticket-Granting-Ticket (TGT) Session Keys.

Change the allowtgtsessionkey registry REG_DWORD value to 1 to include a session key in the TGT. For Windows 10 or above, the registry location of allowtgtsessionkey is:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

A value of 1 requires that a session key be returned with the TGT, and enables use of Kerberos TGT sessions.

Understanding Studio Kerberos Properties File

Each Studio client that is to be configured for use with Kerberos SSO must have a local copy of the krb5.properties file located in the <TDV_install_dir>/conf/studio directory. When Studio is starting up, the presence of this file triggers display of an SSO check box on the Studio login window.

Note: If Studio does not detect this file, or if the SPN value is set to a different TDV node, the Studio login uses Basic authentication, which requires the user to enter a valid user name, password, and domain for that server instance.

The Studio krb5.properties Service Principal Name (SPN) is derived from the TDV SPN. The TDV Server uses the Required Principal Name configuration parameter to authenticate the TDV service to Kerberos.

All Studio clients that connect to that TDV Server instance must use an SPN derived from the TDV instance’s SPN. For example, if the Required Principal Name is HTTP/krb5-win.support.net@SUPPORT.NET, the derived SPN is HTTP@krb5-win.support.net. If a user of a Studio instance wants to use Kerberos SSO authentication to connect with a different TDV Server instance, the krb5.properties file SPN value must be changed to use that TDV instance’s SPN name.

For more information about the krb5.properties file, see the Krb5LoginModule Java documentation.

For specific details on configuring this file for Security Support Provider Interface (SSPI), see Preparing the Studio Kerberos Properties File for SSPI SSO.

For specific details on configuring this file for Java Generic Security Services (JGSS), see Preparing the Studio Kerberos Properties File for JGSS SSO.