Policy Server Guides › Policy Design Guide › SiteMinder Kerberos Authentication › How To Configure SiteMinder Kerberos Authentication › Kerberos KDC Configuration at the Domain Controller

Kerberos KDC Configuration at the Domain Controller

When using Kerberos, the domain controller is the key distribution center (KDC) for the Kerberos Realm. In a pure Windows environment, a Kerberos Realm is equivalent to a Windows Domain. The domain controller host provides storage for the user, service accounts, credentials, the Kerberos ticketing services, and Windows Domain services.

A keytab file is required for Kerberos authentication, which lets users authenticate with the KDC without being prompted for a password. The keytab file is created with the ktpass utility. The ktpass command tool utility is a Windows support tool. The ktadd utility is the equivalent on UNIX.

KDC configuration for SiteMinder on the domain controller host (Windows or UNIX) follows this general sequence:

1. Create a user account. This account is for logging in to the workstation.
2. Create a service account for the web server for logging in to the web server host.
3. Create a service account for the Policy Server for logging in to the Policy Server host.
4. Associate the web server account with a web server principal name.
5. Create a keytab file, which is transferred to the web server host.
6. Associate the Policy Server account with a Policy Server principal name.
7. Create another keytab file, which is transferred to the Policy Server host.
8. Specify that the web server and Policy Server accounts are Trusted for Delegation.

Important! For any service to use Kerberos protocol, be sure to create the Service Principal Name (SPN) in a standard format, that is, service/fqdn_host@REALM_NAME.

More information:

KDC Configuration on Windows 2003 Example

KDC Configuration on UNIX Example