Manage Kerberos Configuration
The Manage Kerberos Configuration task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
Manage Kerberos Configurationtask displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
To manage Kerberos configuration:
- In the Policy Manager, select[Tasks] > Users and Authentication > Manage Kerberos Configurationfrom the Main Menu (on the browser client, from the Manage menu). The Kerberos Configuration dialog appears.
- The following table describes each setting and control in the configuration dialog.FieldDescriptionValidDisplays the status of the keytab:
SummarySummarizes the state of your Kerberos configuration. Message is one of:Keytab file not presentKeytab file is invalidAuthentication failedAuthentication successfulChecking configuration...Updating configuration...Note:When the message states "Authentication failed....Could not login 'Message stream modified (41)", set thesun.security.krb5.disableReferralsproperty totruein theopt/SecureSpan/Gateway/runtime/etc/ssg.securityfile.Automatically Validate KeytabSelect this check box to validate the keytab principal against the corresponding KDC. This validation occurs automatically whenever:
- Yes= valid keytab file has been loaded
- No= no valid keytab file has been loaded
- "–" = a keytab file has been loaded, but not validated
Clear this check box to not automatically validate the keytab. In this case, no validation status or summary is displayed until you click [Validate Keytab].Keytab details:KDCKey Distribution CenterRealmIdentifier for the secured networkPrincipal NameService (Gateway cluster) identifierDateKeytab date, if availableVersionKeytab version number 1-XEncryptionKeytab algorithms (rc4-hmac, des-cbc-md5, etc.)Keytab configuration controls:[Load Keytab]Loads a keytab file directly into the Gateway database. Select the keytab file to upload, then click [OK] to confirm.If automatic validation is enabled, this keytab will be validated upon loading, otherwise you should use [Validate Keytab] to trigger a validation.For information on how to create the keytab file, see Using the Gateway in Windows Domain Login. If you are working with multiple principals, ensure that you select a keytab that has been configured with multiple principals.(1) Ensure that you have a backup of the keytab file, as it cannot be downloaded once uploaded. (2) Loading a keytab file here will overwrite any existing keytab file.[Delete Keytab]Removes the loaded keytab file. As deleting a keytab file is permanent and may have consequences, you must confirm by first selecting the To enable [OK] ... check box before you can click [OK].If you are simply replacing the keytab file with another one, you can use [Load Keytab] without needing to delete the old keytab first.[Validate Keytab]Validates the keytab against the corresponding KDC. The results are displayed in the Summary above. If the keytab is invalid, a message is displayed.You do not need to click [Validate Keytab]if theAutomatically Validate Keytabcheck box is selected.
- the Kerberos Configuration dialog is displayed
- a new keytab is loaded
- Click [Close] when done. .
About the Default Realm and the krb5.conf File
When you load a keytab using the Manage Kerberos Configuration task, the Gateway automatically generates a
krb5.conffile and places it in the following directory:
The Gateway uses the first service principal in the keytab file as the default realm. For example, a keytab file contains the following service principals:
Based on this example, "ACMECORP.COM" is listed as the default realm in the
(1) You may edit the
krb5.conffile manually if necessary. (2) The cluster proper
kerberos.krb5Config.overwritecontrols whether the Gateway overwrites an existing
krb5.conffile during Kerberos configuration.