Administration Guide › Configure SPS to Support Integrated Windows Authentication › Configure SPS to Support Integrated Windows Authentication › Kerberos Authentication Schemes › Kerberos Configuration Examples › Kerberos Configuration at the Policy Server on UNIX Example
Kerberos Configuration at the Policy Server on UNIX Example
The following procedure shows an example of how to configure a Policy Server on a UNIX host to support SiteMinder Kerberos authentication.
Follow these steps:
- Create a user, for example, sol10psuser, with the same password used for creating a service account for the Policy Server host (sol10ps) in Active Directory.
- Add the host to the test.com domain and login to host with user sol10psuser.
- Install and configure SiteMinder Policy Server.
- Install and configure policy store directory services.
- Add a Host Configuration Object referencing the Solaris Policy Server.
- Add an Agent Configuration Object and add the following three new parameters:
|
Parameter
|
Value
|
|
KCCExt
|
.kcc
|
|
HttpServicePrincipal
|
Specify the web server principal name.
Example: HTTP/win2k8sps.test.com@TEST.COM
|
|
SmpsServicePrincipal
|
Specify the Policy Server principal name.
Example: smps@winps.test.com
|
- Create a user directory.
- Create a user, for example, testkrb, in the user directory.
- Configure a new Authentication Scheme using the SiteMinder Admin UI:
- Create the scheme using the custom template.
- Specify the SiteMinder Kerberos Authentication Scheme library.
- Select the parameter field and specify the following three semicolon-delimited values in the specified order:
- Server name and target fields.
- Policy Server principal name from the Windows 2003 Kerberos realm.
- Mapping between the user principal and an LDAP search filter.
Sample parameter field:
http://sol10sunone.test.com/siteminderagent/Kerberos/creds.kcc;smps/sol10ps.test.com@TEST.COM;(uid=%{UID})
- Configure a policy domain.
- Add a realm to protect a resource using the Authentication Scheme.
- Add Rules and Policies to allow access for the user, testkrb.
- Configure a Kerberos configuration file (krb5.ini) and place krb5.ini in the /etc/krb5 system path.
- Configure KDC for the Windows 2003 Kerberos realm (domain) to use the Windows 2003 domain controller.
- Configure krb5.ini to use the Windows 2003 KDC keytab file containing the Policy Server principal credentials.
See the following sample krb5.ini:
[libdefaults]
ticket_lifetime = 24000
default_realm=TEST.COM
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
proxiable = true
[realms]
TEST.COM = {
kdc = winkdc.test.com:88
admin_server = winkdc.test.com:749
default_domain = test.com
}
[domain_realm]
.test.com=TEST.COM
test.com=TEST.COM
- Use the ktutil utility to merge the keytab files (sol10ps_smps.keytab & sol10ps_host.keytab) containing the host principal and service principal names for the Policy Server host in the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
- Verify the created krb5.keytab as follows:
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/sol10ps.test.com@TEST.COM
3 smps/sol10ps.test.com@TEST.COM
- Deploy the Windows 2003 KDC keytab file containing the host and Policy Server principal credentials to a secure location on the Policy Server.
- Verify that the following environment variable is set before starting the Policy Server:
KRB5_CONFIG=/etc/krb5/krb5.conf
The Policy Server on a UNIX host is configured for Kerberos authentication.
|
Copyright © 2012 CA.
All rights reserved.
|
|
