Configure Kerberos Authentication

Kerberos authentication supports various configuration scenarios, depending on the host environments of the client and server. Although each scenario is slightly different, implementing Kerberos authentication requires an administrator to perform the following tasks:
sm1252sp1
Kerberos authentication supports various configuration scenarios, depending on the host environments of the client and server. Although each scenario is slightly different, implementing Kerberos authentication requires an administrator to perform the following tasks:
  1. Configure a Key Distribution Center (KDC)
  2. Configure the Policy Server for Kerberos authentication
  3. Configure the Web Agent for Kerberos authentication
  4. Create Kerberos Configuration files
  5. Enable a Browser to Send Kerberos Credentials
  6. (Optional) Enable a Windows Host to Communicate to a UNIX KDC and Realm
The sections that follow describe how to set up a KDC.
3
Configure a Key Distribution Center (KDC) for Kerberos Authentication
A key distribution center (KDC) is a network service. Specifically, a KDC provides an Authentication Service (AS), which authenticates users and services, and a Ticket-Granting Service (TGS), which issues tickets to access services. Active Directory is an example of a service that can be a KDC. Servers that host services and applications are endpoints that accept Kerberos authentication requests from clients.
The following diagram is an overview of a Kerberos transaction:
Kerberos Environment
Kerberos Environment
  1. A client sends a request to the authentication service and is authenticated.
  2. The authentication service responds with a ticket for the TGS.
  3. The client requests a ticket for a specific server.
  4. The TGS returns a response with the approprate ticket.
  5. The client requests a service from server host.
  6. The service responds and access is granted.
Example Data for KDC Configuration
The Windows and UNIX procedures for configuring a KDC use the following example server and account names:
Server
Name
Active Directory Domain
EXAMPLE (This is an AD domain, not a web domain)
Kerberos Realm
EXAMPLE.COM
KDC (Examples: Active Directory Controller, or a UNIX KDC)
kdc.example.com 
Policy Server
pserver.example.com
Policy Server service principal name
Web server hosting HTTP service
www.example.com
Web Agent service principal name
Important
! A Service Principal Name (SPN) is case-sensitive and it must follow the format:
service_type
/
fqdn
_service
_host_name
@
KERBEROS
_
REALM.
Specify host names with lower-case characters, and Kerberos realm names with upper-case characters.
Accounts
Name
User Account
testkrb
Policy Server Service Account
krbsvc-smps
Web Agent Service Account
krbsvc-smwa
The Kerberos convention is to make host domain names the same as the Kerberos realm name. The only difference is that the realm is in all upper-case letters. In the above table, the hosts in the domain
example.com
are in the Kerberos realm
EXAMPLE.COM
.
KDC Configuration on Windows
This following procedure explains how to configure a KDC on a Window system. Example values are used throughout the instructions.
In this procedure, you create two keytab files. A keytab file is required for Kerberos authentication. The file lets the service accounts authenticate with the KDC without being prompted for a password. For Windows platforms, the keytab file is created with the 
ktpass
 support tool. The ktpass tool is available after you promote the Active Directory server to domain controller.
Follow these steps:
  1. Create a user account (testkrb) in the Windows Active Directory domain.  Provide a password for this account. Clear the option
    User must change password at next logon option
    . The Windows workstation uses this account to log in to the domain example.com.
  2. Create a service account for the Policy Server (krbsvc-smps). Provide a password for this account. Clear the option, 
    User must change password at next logon
    .
  3. Create a service account for the Web Agent (krbsvc-smwa). Provide a password for this account. Clear the option,
    User must change password at next logon
    .
  4. Create a keytab file for the Policy Server host. The keytab file associates the Policy Server service account (krbsvc-smps) with the Policy Server service principal name (smps/[email protected]).
    To create a keytab file, enter the following ktpass command:
    ktpass -out c:\krbsvc-smps.keytab -princ smps/[email protected] -ptype KRB5_NT_PRINCIPAL
    -mapuser EXAMPLE\krbsvc-smps -mapOp set -pass "*"
    The password is same as the one used for creating the service account for the Policy Server. 
    Kerberos service types are typically specified in all uppercase letters; however, the
    smps
    service type must be lower-case.
  5. Create a keytab file for the Web Agent. The keytab file associates the Web Agent service account (krbsvc-smwa) with the Web Agent service principal name (HTTP/[email protected]). 
    Enter the following ktpass command:
    ktpass -out C:\krbsvc-smwa.keytab -princ HTTP/[email protected] -ptype KRB5_NT_PRINCIPAL
    -mapuser EXAMPLE\krbsvc-smwa -mapOp set -pass "*"
    The password is the same as the one used for creating the service account for the web server.
    The default encryption type for the keytab file is RC4-HMAC. Confirm the type by entering
    ktpass /?
     at the command prompt. 
  6. Configure the Policy Server and Web Agent service account so it is trusted for delegation and that the account can present delegated credentials. The Policy Server and Web Agent accounts need permission to impersonate a user to use other network service. Use the Active Directory Users and Computers (ADUC) administrative tool to configure delegation. Follow these steps:
    1. Right-click the service account (Policy Server: krbsvc -smps; Web Agent: krbsvc-smwa) and select Properties.
    2. Select the Delegation tab.
    3. Select the Trust this user for delegation to any service (Kerberos only) option.
The KDC on a Windows platform is configured.
KDC Configuration on UNIX
The following process shows how to configure a KDC on a UNIX host. The procedure assumes the use of MIT Kerberos, which is shipped with 
CA Single Sign-On
.
In this procedure, you create two keytab files. A keytab file is required for Kerberos authentication. The file lets the service accounts authenticate with the KDC without being prompted for a password. For UNIX platforms, the keytab file is created with the 
ktadd
 tool.
Follow these steps:
  1.  If you have not created a Kerberos realm yet, enter the following kdb5_util command: 
     kdb5_util create -r EXAMPLE.COM -s
    The
    -s
     argument in the command above creates a stash file. The stash file and the keytab file are potential security vulnerability points. If you install a stash file it must be readable only by root, must not be backed up, and must exist only on the KDC local disk.  If you do not want a stash file, run kdb5_util without the
    -s
    option.
  2. Create a user account (testkrb) in the domain where the KDC resides.
  3. For the Policy Server host, create the following:
    • A user principal (testpskrb)
    • A Policy Server service principal (smps/pserver.example.com)
    • A Policy Server service account (krbsvc-smps) for the Policy Server host. Provide a password for the account.
    You do not need to specify the Kerberos realm for the service principal name. For UNIX platforms, it is implied. 
  4. Create a keytab file for Policy Server service principal. Enter the following
    kadmin
    command:
    kadmin.local -q "ktadd -k krbsvc-smps.keytab smps/[email protected]"
  5. For the Web Agent on the web server host, create the following:
    • A user principal name (testwakrb)
    • A Web Agent service principal (HTTP/[email protected])
    • A Web Agent service account (krbsvc-smwa) 
    • A password for the Web Agent service account.
  6. Create a keytab file and add the Web Agent service principal to the keytab file. Enter the following
    kadmin
    command
    :
    kadmin.local -q "ktadd -k krbsvc-smwa.keytab HTTP/[email protected]"
  7. Configure the policy server and web server service accounts so each is trusted for delegation and the account can present delegated credentials. The Policy Server and Web Agent accounts need permission to impersonate a user to use other network service. Enter the following commands:
    Policy Server Service Account: 
    kadmin.local -q "modify_principal +ok_to_auth_as_delegate smps/[email protected]"
    Web Agent Service Account:
    kadmin.local -q "modify_principal +ok_to_auth_as_delegate HTTP/[email protected]"
The KDC is configured on a UNIX host.