Policy Server Guides › Policy Design Guide › SiteMinder Kerberos Authentication › Kerberos Configuration Examples › KDC Configuration on Windows 2003 Example

KDC Configuration on Windows 2003 Example

The steps listed following exemplify how to configure a Windows 2003 domain controller to support SiteMinder Kerberos authentication.

1. Promote a Windows 2003 SP 1 Server to a domain controller (named test.com in this example) using Windows dcpromo utility.
2. Raise the domain functional level:
   1. Open the Active Directory users and computers dialog from Administrative tools.
   2. Right-click the test.com drop-down on the left side of dialog.
   3. Click Raise domain functional level.
   4. Raise the domain functional level of Active directory to Windows Server 2003.

      Important! This step is irreversible.

3. Create a user account (for example, testkrb). Provide a password for this account. Clear the option, User must change password at next logon. Add this account to the domain administrators group so that the user has permissions to login. The Windows workstation uses this account to log in to test.com.
4. Create a service account for the web server (for example, wasrvwin2k3iis6). Create a password for this account. Clear the option, User must change password at next logon. Add this account to the domain administrators group so that the user has permissions to login.The Windows 2003 IIS web server host (win2k3iis6) uses this account to log in to test.com.
5. Create a service account for the Policy Server (polsrvwin2kps). Provide a password for this account. Clear the option, User must change password at next logon. Add this account to the domain administrators group so that the user has permissions to login.The Win2k3 Policy Server host (win2kps) uses this account to log in to test.com.
6. Join the web server (win2k3iis6) and the Policy Server (win2kps) hosts to the test.com domain using their service accounts created in Steps 4 and 5.
7. Associate the web server account (wasrvwin2k3iis6) with a web server principal name (HTTP/win2k3iis6.test.com@TEST.COM) and create a keytab file using the Ktpass utility.The syntax differs depending on whether the Policy Server is on Windows or on UNIX.

   Note: The Ktpass command tool utility is a Windows support tool. You can install it from MSDN download or an installation CD. Always verify the version of support tools. The default encryption type must always be RC4-HMAC. The encryption type can be confirmed by running ktpass /? at the command prompt.

   When the Policy Server is on Windows:

   ktpass -out c:\wasrvwin2k3iis6.keytab -princ HTTP/win2k3iis6.test.com@TEST.COM 
   -ptype KRB5_NT_PRINCIPAL -mapuser wasrvwin2k3iis6 -pass <<password>>
   
   Targeting domain controller: winkdc.Test.com
   Using legacy password setting method
   Successfully mapped HTTP/win2k3iis6.test.com to wasrvwin2k3iis6.
   Key created.
   Output keytab to c:\wasrvwin2k3iis6.keytab:
   Keytab version: 0x502
   keysize 67 HTTP/win2k3iis6.test.com@TEST.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xfd77a26f1f5d61d1fafd67a2d88784c7)
   

   The password is the same as the one used for creating the service account for the web server.

   When the Policy Server is on UNIX:

   ktpass -out d:\sol8sunone_host.keytab -princ host/sol8sunone.test.com@TEST.COM -pass <<password>> -mapuser sol8sunone -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL -kvno 3
   
   Targeting domain controller: winkdc.test.com
   Successfully mapped host/sol8sunone.test.com to sol8sunone.
   Key created.
   Output keytab to d:\sol8sunone_host.keytab:
   Keytab version: 0x502
   keysize 52 host/sol8sunone.test.com@TEST ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xb5a87ab5070e7f4a)
   Account sol8sunone has been set for DES-only encryption.
   

8. Associate the Policy Server account (polsrvwin2kps) with a Policy Server principal name (smps/win2kps.test.com@TEST.COM) and create another keytab file destined for the Policy Server host (win2kps).

   When the Policy Server is on Windows

   Ktpass -out c:\polsrvwin2kps.keytab -princ smps/win2kps.test.com@TEST.COM -ptype KRB5_NT_PRINCIPAL -mapuser polsrvwin2kps -pass <<password>>
   Targeting domain controller: winkdc.Test.com
   Using legacy password setting method
   Successfully mapped smps/win2kps.test.com to polsrvwin2kps.
   Key created.
   Output keytab to c:\polsrvwin2kps.keytab:
   Keytab version: 0x502
   keysize 72 smps/win2kps.test.com@TEST.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xfd77a26f1f5d61d1fafd67a2d88784c7)
   

   The password is same as the one used for creating the service account for Policy Server.

   When the Policy Server is on UNIX:

   ktpass -out d:\sol8polsrv.keytab -princ host/sol8sunone.test.com@TEST.COM -pass <<password>> -mapuser sol8sunone -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL -kvno 3
   
   Targeting domain controller: winkdc.test.com
   Successfully mapped host/sol8sunone.test.com to sol8sunone.
   Key created.
   Output keytab to d:\sol8polserv.keytab:
   Keytab version: 0x502
   keysize 52 host/sol8sunone.test.com@TEST ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xb5a87ab5070e7f4a)
   Account sol8sunone has been set for DES-only encryption.
   

9. Specify that the web server and Policy Server service accounts are Trusted for Delegation as follows:
   1. Right-click the service account (polsrvwin2kps/wasrvwin2k3iis6) properties.
   2. Select the Delegation tab.
   3. Select the second option, Trust this user for delegation to any service (Kerberos only)

      Or, select the third option, Trust this user for delegation to specified service. Select the Use Kerberos only option button, and add the corresponding service principal name.

The domain controller is ready for SiteMinder Kerberos authentication.