Previous Topic: Attributes and Expressions ReferenceNext Topic: Configure a Kerberos Authentication Scheme

Policy Server GuidesPolicy Server Configuration GuideSiteMinder Kerberos Authentication

SiteMinder Kerberos Authentication

This section contains the following topics:

Kerberos Overview

How To Configure SiteMinder Kerberos Authentication

Kerberos Configuration Examples

Verify that a Resource is Protected

Troubleshooting SiteMinder Kerberos Authentication

Kerberos Overview

Kerberos is a standard protocol, designed at MIT, to provide a means of authentication between a client and a server on an open network. The Kerberos protocol protects messages from eavesdropping and replay attacks. Kerberos uses shared secrets, symmetric keys, and Kerberos services. Microsoft Windows operating environments use Kerberos V5 as the default authentication package. Solaris 10 also includes Kerberos V5.

In a Kerberos environment, user accounts and service accounts are named principals. Kerberos uses a trusted third party (the Key Distribution Center, or KDC) to mediate message exchanges between principals. The purpose of the Key Distribution Center is to reduce the risks inherent in exchanging keys.

Kerberos authentication is based on messages that request and deliver tickets. The Key Distribution Center processes two types of tickets:

Kerberos uses keytab files for logging in to the KDC. Keytab files consist of pairs of Kerberos principals and encrypted keys derived from a Kerberos password.

The Kerberos protocol message exchange can be summarized in a simplified way as follows:

  1. When a user logs in, the client contacts the KDC Authentication Service, requesting a short-lived message (the ticket-granting ticket) containing the user identity information.
  2. The KDC authentication service generates the TGT and creates a session key that the client can use to encrypt communication with the ticket-granting service.
  3. When a user requests access to local or network resources, the client presents the ticket-granting ticket (TGT), an authenticator, and the Service Principal Name (SPN) of the target server to the KDC.
  4. The ticket-granting service examines the ticket-granting ticket and the authenticator. If these credentials are acceptable, the ticket-granting service creates a service ticket, which includes the user identity information copied from the TGT. The service ticket is sent back to the client.

    Note: The ticket-granting service cannot determine whether the user is granted access to the target resource. The ticket-granting service only authenticates the user and returns the session ticket.

  5. After the client has the session ticket, the client sends the session ticket and a new authenticator to the target server, requesting access to a resource.
  6. The server decrypts the ticket, validates the authenticator, and grants the user access to the resource.

How To Configure SiteMinder Kerberos Authentication

Kerberos authentication supports various configuration scenarios, depending on the host environments of the client and server. Although each scenario is slightly different, implementing Kerberos authentication in a SiteMinder environment requires the following administrator tasks:

Kerberos KDC Configuration at the Domain Controller

When using Kerberos, the domain controller is the key distribution center (KDC) for the Kerberos Realm. In a pure Windows environment, a Kerberos Realm is equivalent to a Windows Domain. The domain controller host provides storage for the user, service accounts, credentials, the Kerberos ticketing services, and Windows Domain services.

A keytab file is required for Kerberos authentication, which lets users authenticate with the KDC without being prompted for a password. The keytab file is created with the ktpass utility. The ktpass command tool utility is a Windows support tool. The ktadd utility is the equivalent on UNIX.

KDC configuration for SiteMinder on the domain controller host (Windows or UNIX) follows this general sequence:

  1. Create a user account. This account is for logging in to the workstation.
  2. Create a service account for the web server for logging in to the web server host.
  3. Create a service account for the Policy Server for logging in to the Policy Server host.
  4. Associate the web server account with a web server principal name.
  5. Create a keytab file, which is transferred to the web server host.
  6. Associate the Policy Server account with a Policy Server principal name.
  7. Create another keytab file, which is transferred to the Policy Server host.
  8. Specify that the web server and Policy Server accounts are Trusted for Delegation.

Important! For any service to use Kerberos protocol, be sure to create the Service Principal Name (SPN) in a standard format, that is, service/fqdn_host@REALM_NAME.

More information:

KDC Configuration on Windows 2003 Example

KDC Configuration on UNIX Example

Kerberos Authentication Configuration at the Policy Server

In addition to the standard Policy Server configuration, Kerberos authentication requires the following steps:

Parameter

Value

KCCExt

.kcc

HttpServicePrincipal

Specifies the web server principal name.

Example: HTTP/win2k3iis6.test.com@TEST.COM

SmpsServicePrincipal

Specifies the Policy Server principal name.

Example: smps@win2kps.test.com

Important! If the Policy Server is installed on Windows and the KDC is deployed on UNIX, be sure to perform the additional configuration on the Policy Server host using the Ksetup utility.

More information:

Kerberos Configuration at the Policy Server on Windows Example

Kerberos Configuration at the Policy Server on UNIX Example

Kerberos Authentication Configuration at the Web Server

Configuring a Windows or UNIX web server to support Kerberos authentication follows these general steps:

  1. Install a SiteMinder Web Agent with SiteMinder Kerberos Authentication Scheme support.
  2. Register a trusted host with the Policy Server and configure the Web Agent.
  3. Configure a Kerberos configuration file (krb5.ini):
  4. Deploy the keytab file (created on the KDC) containing the web server credentials to a secure location on the web server.

Important! If the web server is installed on Windows and the KDC is deployed on UNIX, be sure to perform additional configuration on the web server using the Ksetup utility.

Kerberos Authentication Configuration at the Windows Workstation

To support Kerberos authentication, several Internet Explorer settings are required, and the workstation host is added to the KDC domain.

Important! If the KDC is deployed on UNIX, be sure to perform the additional required configuration on the workstation using the Ksetup utility.

To configure the Windows workstation to support Kerberos authentication

  1. Add the host for the Windows workstation to the KDC domain.
  2. Log in to the host using user account created on the KDC.
  3. Configure Internet Explorer to pass credentials automatically:
    1. Initiate an instance of the IE web browser.
    2. Select the Internet options menu.
    3. Select the Security tab.
    4. Select Local intranet tab.
    5. Click Sites and select all three checkboxes.
    6. Select the Advanced tab and add http://*.domain.com to local intranet zone.
    7. Select the Custom level tab under security settings and select Automatic logon only in intranet zone under the User Authentication tab.
    8. Select the Advanced tab from Internet options and select the Enable Integrated Windows authentication (requires restart) option.
    9. Close the browser.