Previous Topic: Kerberos Configuration Examples

Next Topic: KDC Configuration on UNIX Example

Administration GuideConfigure SPS to Support Integrated Windows AuthenticationConfigure SPS to Support Integrated Windows AuthenticationKerberos Authentication SchemesKerberos Configuration ExamplesKDC Configuration on Windows 2008 Example

KDC Configuration on Windows 2008 Example

The steps listed following exemplify how to configure a Windows domain controller to support SiteMinder Kerberos authentication.

  1. Promote a Windows Server to a domain controller (named test.com in this example) using Windows dcpromo utility.
  2. Raise the domain functional level:
    1. Open the Active Directory users and computers dialog from Administrative tools.
    2. Right-click the test.com drop-down on the left side of dialog.
    3. Click Raise domain functional level.
    4. Raise the domain functional level of Active directory.

      Important! This step is irreversible.

  3. Create a user account (for example, testkrb). Provide a password for this account. Clear the option, User must change password at next logon. Add this account to the domain administrators group so that the user has permissions to login. The Windows workstation uses this account to log in to test.com.
  4. Create a service account for the web server (for example, wasrvwin2k8sps). Create a password for this account. Clear the option, User must change password at next logon. Add this account to the domain administrators group so that the user has permissions to login. SPS uses this account to log in to test.com.
  5. Create a service account for the Policy Server (polsrvwinps). Provide a password for this account. Clear the option, User must change password at next logon. Add this account to the domain administrators group so that the user has permissions to login. The Policy Server host (winps) uses this account to log in to test.com.
  6. Join the web server (win2k8sps) and the Policy Server (winps) hosts to the test.com domain using their service accounts created in Steps 4 and 5.
  7. Associate the web server account (wasrvwin2k8sps) with a web server principal name (HTTP/win2k8sps.test.com@TEST.COM) and create a keytab file using the Ktpass utility. The syntax differs depending on whether the Policy Server is on Windows or on UNIX.

    Note: The Ktpass command tool utility is a Windows support tool. You can install it from MSDN download or an installation CD. Always verify the version of support tools. The default encryption type must always be RC4-HMAC. The encryption type can be confirmed by running ktpass /? at the command prompt.

    When the Policy Server is on Windows:

    ktpass -out c:\wasrvwin2k8sps.keytab -princ HTTP/win2k8sps.test.com@TEST.COM 
-ptype KRB5_NT_PRINCIPAL -mapuser wasrvwin2k8sps -pass <<password>>

Targeting domain controller: winkdc.Test.com
Using legacy password setting method
Successfully mapped HTTP/win2k8sps.test.com to wasrvwin2k8sps.
Key created.
Output keytab to c:\wasrvwin2k8sps.keytab:
Keytab version: 0x502
keysize 67 HTTP/win2k8sps.test.com@TEST.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xfd77a26f1f5d61d1fafd67a2d88784c7)

    The password is the same as the one used for creating the service account for the web server.

    When the Policy Server is on UNIX:

    ktpass -out d:\sol10sunone_host.keytab -princ host/sol10sunone.test.com@TEST.COM -pass <<password>> -mapuser sol10sunone -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL -kvno 3

Targeting domain controller: winkdc.test.com
Successfully mapped host/sol10sunone.test.com to sol10sunone.
Key created.
Output keytab to d:\sol10sunone_host.keytab:
Keytab version: 0x502
keysize 52 host/sol10sunone.test.com@TEST ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xb5a87ab5070e7f4a)
Account sol10sunone has been set for DES-only encryption.

  8. Associate the Policy Server account (polsrvwinps) with a Policy Server principal name (smps/winps.test.com@TEST.COM) and create another keytab file destined for the Policy Server host (winps).

    When the Policy Server is on Windows:

    Ktpass -out c:\polsrvwinps.keytab -princ smps/winps.test.com@TEST.COM -ptype KRB5_NT_PRINCIPAL -mapuser polsrvwinps -pass <<password>>
Targeting domain controller: winkdc.Test.com
Using legacy password setting method
Successfully mapped smps/winps.test.com to polsrvwinps.
Key created.
Output keytab to c:\polsrvwinps.keytab:
Keytab version: 0x502
keysize 72 smps/winps.test.com@TEST.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xfd77a26f1f5d61d1fafd67a2d88784c7)

    The password is same as the one used for creating the service account for Policy Server.

    When the Policy Server is on UNIX:

    ktpass -out d:\sol10polsrv.keytab -princ host/sol10sunone.test.com@TEST.COM -pass <<password>> -mapuser sol10sunone -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL -kvno 3

Targeting domain controller: winkdc.test.com
Successfully mapped host/sol10sunone.test.com to sol10sunone.
Key created.
Output keytab to d:\sol10polserv.keytab:
Keytab version: 0x502
keysize 52 host/sol10sunone.test.com@TEST ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xb5a87ab5070e7f4a)
Account sol10sunone has been set for DES-only encryption.
  9. Specify that the web server and Policy Server service accounts are Trusted for Delegation as follows:
    1. Right-click the service account (polsrvwinps/wasrvwin2k8sps) properties.
    2. Select the Delegation tab.
    3. Select the second option, Trust this user for delegation to any service (Kerberos only)

      Or, select the third option, Trust this user for delegation to specified service. Select the Use Kerberos only option button, and add the corresponding service principal name.

The domain controller is ready for SiteMinder Kerberos authentication.