Domain Controller Setup on Windows for Kerberos

Agent for Windows Authentication Guide › Deployment Prerequisites for the Federation Agent for Windows › Domain Controller Setup on Windows for Kerberos

Domain Controller Setup on Windows for Kerberos

When using Kerberos, the domain controller is the key distribution center (KDC) for the Kerberos Realm. In a pure Windows 2003 environment, a Kerberos Realm is equivalent to a Windows Domain. The domain controller host provides storage for the user, service accounts, credentials, the Kerberos ticketing services, and Windows Domain services.

A keytab file is required for Kerberos authentication, which lets users logged on to the CA SiteMinder® Federation Standalone server authenticate with the KDC without being prompted for a password. The keytab file is created with the ktpass utility. The ktpass command tool utility is a Windows support tool. The default encryption type is RC4-HMAC-NT, which can be confirmed by running ktpass /? at the command prompt. Also, be sure to confirm the Kerberos version number.

To deploy the Windows domain controller when using Kerberos

Promote Windows 2003 SP 1 Server to a domain controller using the Windows dcpromo utility.
Open the Active Directory Users and Computers dialog from Administrative tools.
Select Create a User Account.
Enter a password for this account.
Clear the User Must Change Password at Next Logon option.
Associate the Windows 2003 workstation account with a server principal name (for example, HTTP/IWAConnectorHostName.idp.com@IDP.COM).
Create a keytab file.
Use the password entered in step 4.
Copy the keytab file to a secure location on the CA SiteMinder® Federation Standalone server at the asserting party.
Important! The keytab name with its full path must be specified in the Keytab Location field during the CA SiteMinder® Federation Standalone Windows Agent configuration.

The domain controller is deployed for Kerberos on systems running Windows.