Previous Topic: Configure Kerberos Authentication

Next Topic: Configure Policy Server

Administration GuideConfigure SPS to Support Integrated Windows AuthenticationConfigure SPS to Support Integrated Windows AuthenticationKerberos Authentication SchemesConfigure Kerberos AuthenticationConfigure Kerberos Key Distribution Center

Configure Kerberos Key Distribution Center

When using Kerberos, the domain controller is the Kerberos Key Distribution Center (KDC) for the Kerberos Realm. In a pure Windows environment, a Kerberos Realm is equivalent to a Windows Domain. The domain controller host provides storage for the user, service accounts, credentials, the Kerberos ticketing services, and Windows Domain services.

Kerberos authentication requires a keytab file, which lets users authenticate with KDC without being prompted for a password. On Windows, use the ktpass command tool utility to create the keytab file and on UNIX, use the ktadd utility creates the keytab file.

Perform the following steps to configure KDC:

  1. Create a user account to log in to the workstation.
  2. Create a service account for the web server to log in to the web server host.
  3. Create a service account for the Policy Server to log in to the Policy Server host.
  4. Associate the web server account with a web server principal name.
  5. Create a keytab file, which is transferred to the web server host.
  6. Associate the Policy Server account with a Policy Server principal name.
  7. Create another keytab file and transfer the new keytab file to the Policy Server host.
  8. Verify that the web server and Policy Server accounts are Trusted for Delegation.

Important! For any service to use Kerberos protocol, ensure that you create the Service Principal Name (SPN) in the service/fqdn_host@REALM_NAME format.