Kerberos Configuration at the Policy Server on Windows Example

Administration Guide › Configure SPS to Support Integrated Windows Authentication › Configure SPS to Support Integrated Windows Authentication › Kerberos Authentication Schemes › Kerberos Configuration Examples › Kerberos Configuration at the Policy Server on Windows Example

Kerberos Configuration at the Policy Server on Windows Example

The following procedure shows an example of how to configure a Policy Server on Windows to support SiteMinder Kerberos authentication.

Note: If the Policy Server is installed on Windows and KDC is deployed on UNIX, be sure to perform additional required configuration on the Policy Server host using the Ksetup utility.

Follow these steps:

Install and configure the SiteMinder Policy Server.
Install and configure policy store directory services.
Log in to the Policy Server host with the service account (for example, polsrvwinps) created in Active Directory on the Windows domain controller.
Add a Host Configuration Object referencing the Policy Server.
Create an Agent Configuration Object and add these three new parameters:

Parameter	Value
KCCExt	.kcc
HttpServicePrincipal	Specifies the web server principal name. Example: HTTP/win2k8sps.test.com@TEST.COM
SmpsServicePrincipal	Specifies the Policy Server principal name. Example: smps@winps.test.com

Parameter

Value

KCCExt

.kcc

HttpServicePrincipal

Specifies the web server principal name.

Example: HTTP/win2k8sps.test.com@TEST.COM

SmpsServicePrincipal

Specifies the Policy Server principal name.

Example: smps@winps.test.com

Create a user directory.
Create a user, for example, testkrb, in the user directory.
Configure a new Authentication Scheme using the SiteMinder Admin UI:
1. Create the scheme using the custom template.
2. Specify the SiteMinder Kerberos Authentication Scheme library.
3. Select the parameter field and specify the following three semicolon-delimited values in the specified order:
  - Server name and target fields.
  - Policy Server principal name from the Windows 2003 Kerberos realm.
  - Mapping between the user principal and an LDAP search filter.
  Sample parameter field:
```
http://win2k8sps.test.com/siteminderagent/Kerberos/creds.kcc;smps/winps.test.com@TES.COM;(uid=%{UID})
```
Configure a policy domain.
Add a realm to protect a resource using the Authentication Scheme.
Add Rules and Policies to allow access for the user, testkrb.
Configure a Kerberos configuration file (krb5.ini) and place krb5.ini in the Windows system root path:
- Configure KDC for the Windows 2003 Kerberos realm (domain) to use the Windows 2003 domain controller.
- Configure krb5.ini to use the Windows 2003 KDC keytab file containing the Policy Server principal credentials.
  See the following sample krb5.ini:
```
[libdefaults]
default_realm = TEST.COM
default_keytab_name = C:\WINDOWS\krb5.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
TEST.COM = {
kdc = winkdc.test.com:88
default_domain = test.com        
}
[domain_realm]
.test.com = TEST.COM
```
Deploy the Windows KDC keytab file containing the Policy Server principal credentials to a secure location on the Policy Server.

The Policy Server on a Windows host is configured for Kerberos authentication.