Manage Kerberos Configuration

The Manage Kerberos Configuration task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
Manage Kerberos Configuration
task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
Refer to the diagram in Configure the Gateway for Kerberos Token-Based Authentication to see where this task fits within the configuration workflow.
To manage Kerberos configuration
  1. In the Policy Manager, select
    [Tasks] > Users and Authentication > Manage Kerberos Configuration
    from the Main Menu (on the browser client, from the Manage menu). The Kerberos Configuration dialog appears.
  2. The following table describes each setting and control in the configuration dialog.
    Displays the status of the keytab:
    • Yes
      = valid keytab file has been loaded
    • No
      = no valid keytab file has been loaded
    • "–" = a keytab file has been loaded, but not validated
    Summarizes the state of your Kerberos configuration. Message is one of:
    Keytab file not present
    Keytab file is invalid
    Authentication failed
    Authentication successful
    Checking configuration...
    Updating configuration...
    Available as of Gateway version 10 CR1. When the message states "
    Authentication failed....Could not login 'Message stream modified (41)
    ", set the
    property to
    in the
    Automatically Validate Keytab
    Select this check box to validate the keytab principal against the corresponding KDC. This validation occurs automatically whenever:
    • the Kerberos Configuration dialog is displayed
    • a new keytab is loaded
    Clear this check box to not automatically validate the keytab. In this case, no validation status or summary is displayed until you click [
    Validate Keytab
    Keytab details:
    Key Distribution Center
    Identifier for the secured network
    Principal Name
    Service (Gateway cluster) identifier
    Keytab date, if available
    Keytab version number 1-X
    Keytab algorithms (rc4-hmac, des-cbc-md5, etc.)
    Keytab configuration controls
    [Load Keytab]
    Loads a keytab file directly into the Gateway database. Select the keytab file to upload, then click [
    ] to confirm.
    If automatic validation is enabled, this keytab will be validated upon loading, otherwise you should use [
    Validate Keytab
    ] to trigger a validation.
    For information on how to create the keytab file, see Using the Gateway in Windows Domain Login. If you are working with multiple principals, ensure that you select a keytab that has been configured with multiple principals.
    (1) Ensure that you have a backup of the keytab file, as it cannot be downloaded once uploaded. (2) Loading a keytab file here will overwrite any existing keytab file.
    [Delete Keytab]
    Removes the loaded keytab file. As deleting a keytab file is permanent and may have consequences, you must confirm by first selecting the To enable [
    ] ... check box before you can click [
    If you are simply replacing the keytab file with another one, you can use [
    Load Keytab
    ] without needing to delete the old keytab first.
    [Validate Keytab]
    Validates the keytab against the corresponding KDC. The results are displayed in the Summary above. If the keytab is invalid, a message is displayed.
    You do not need to click [
    Validate Keytab]
    if the
    Automatically Validate Keytab
    check box is selected.
  3. Click [
    ] when done.          .
About the Default Realm and the krb5.conf File
When you load a keytab using the Manage Kerberos Configuration task, the Gateway automatically generates a
file and places it in the following directory:
The Gateway uses the first service principal in the keytab file as the default realm. For example, a keytab file contains the following service principals:
KVNO Principal
---- ------------------------------------
2 http/[email protected]
4 http/[email protected]
3 http/[email protected].WIDGETCORP.SUP
Based on this example, "ACMECORP.COM" is listed as the default realm in the
(1) You may edit the
file manually if necessary. (2) The cluster proper
controls whether the Gateway overwrites an existing
file during Kerberos configuration.