Manage Kerberos Configuration

The Manage Kerberos Configuration task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
gateway91
The
Manage Kerberos Configuration
task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
Refer to the diagram in Configure the Gateway for Kerberos Token-Based Authentication to see where this task fits within the configuration workflow.
To manage Kerberos configuration
:
  1. In the Policy Manager, select
    [Tasks] > Users and Authentication > Manage Kerberos Configuration
     from the Main Menu (on the browser client, from the Manage menu). The Kerberos Configuration dialog appears.
  2. The following table describes each setting and control in the configuration dialog.
    Field
    Description
    Valid
    Displays the status of the keytab:
    • Yes
      = valid keytab file has been loaded
    • No
      = no valid keytab file has been loaded
    • "–" = a keytab file has been loaded, but not validated
    Summary
    Summarizes the state of your Kerberos configuration. Message is one of:
    Keytab file not present
    Keytab file is invalid
    Authentication failed
    Authentication successful
    Checking configuration...
    Updating configuration...
    Automatically Validate Keytab
    Select this check box to validate the keytab principal against the corresponding KDC. This validation occurs automatically whenever:
    • the Kerberos Configuration dialog is displayed
    • a new keytab is loaded
    Clear this check box to not automatically validate the keytab. In this case, no validation status or summary is displayed until you click [
    Validate Keytab
    ].
    Keytab details:
    KDC
    Key Distribution Center
    Realm
    Identifier for the secured network
    Principal Name
    Service (Gateway cluster) identifier
    Date
    Keytab date, if available
    Version
    Keytab version number 1-X
    Encryption
    Keytab algorithms (rc4-hmac, des-cbc-md5, etc.)
    Keytab configuration controls
    :
    [Load Keytab] 
    Loads a keytab file directly into the Gateway database. Select the keytab file to upload, then click [
    OK
    ] to confirm.
    If automatic validation is enabled, this keytab will be validated upon loading, otherwise you should use [
    Validate Keytab
    ] to trigger a validation.
    For information on how to create the keytab file, see Using the Gateway in Windows Domain Login. If you are working with multiple principals, ensure that you select a keytab that has been configured with multiple principals.
    (1) Ensure that you have a backup of the keytab file, as it cannot be downloaded once uploaded. (2) Loading a keytab file here will overwrite any existing keytab file.
    [Delete Keytab]
    Removes the loaded keytab file. As deleting a keytab file is permanent and may have consequences, you must confirm by first selecting the To enable [
    OK
    ] ... check box before you can click [
    OK
    ].
    If you are simply replacing the keytab file with another one, you can use [
    Load Keytab
    ] without needing to delete the old keytab first.
    [Validate Keytab]
    Validates the keytab against the corresponding KDC. The results are displayed in the Summary above. If the keytab is invalid, a message is displayed.
    You do not need to click [
    Validate Keytab]
    if the
    Automatically Validate Keytab
    check box is selected.
  3. Click [
    Close
    ] when done.          .  
About the Default Realm and the krb5.conf File
When you load a keytab using the Manage Kerberos Configuration task, the Gateway automatically generates a 
krb5.conf
 file and places it in the following directory:
/opt/SecureSpan/Gateway/node/default/var
The Gateway uses the first service principal in the keytab file as the default realm. For example, a keytab file contains the following service principals:
KVNO Principal
---- ------------------------------------
  2  http/[email protected]
  4  http/[email protected]
  3  http/[email protected]
Based on this example, "ACMECORP.COM" is listed as the default realm in the 
krb5.conf
 file.
(1) You may edit the
krb5.conf
file manually if necessary. (2) The cluster proper
kerberos.krb5Config.overwrite
controls whether the Gateway overwrites an existing
krb5.conf
file during Kerberos configuration.