Kerberos Configuration at the Policy Server on Windows Example

Policy Server Guides › Policy Design Guide › SiteMinder Kerberos Authentication › Kerberos Configuration Examples › Kerberos Configuration at the Policy Server on Windows Example

Kerberos Configuration at the Policy Server on Windows Example

The process listed following exemplifies how to configure a Policy Server on Windows to support SiteMinder Kerberos authentication.

Note: If the Policy Server is installed on Windows and the KDC is deployed on UNIX, be sure to perform additional required configuration on the Policy Server host using the Ksetup utility.

Install and configure SiteMinder Policy Server.
Install and configure policy store directory services.
Log in to the Policy Server host with the service account (for example, polsrvwin2kps) created in Active Directory on the Windows domain controller.
Add a Host Configuration Object referencing the Policy Server.
Create an Agent Configuration Object and add these three new parameters:

Parameter	Value
KCCExt	.kcc
HttpServicePrincipal	Specifies the web server principal name. Example: HTTP/win2k3iis6.test.com@TEST.COM
SmpsServicePrincipal	Specifies the Policy Server principal name. Example: smps/win2kps.test.com@TEST.COM

Parameter

Value

KCCExt

.kcc

HttpServicePrincipal

Specifies the web server principal name.

Example: HTTP/win2k3iis6.test.com@TEST.COM

SmpsServicePrincipal

Specifies the Policy Server principal name.

Example: smps/win2kps.test.com@TEST.COM

Create a user directory.
Create a user, for example, testkrb, in the user directory.
Configure a new Authentication Scheme using the SiteMinder Admin UI:
1. Create the scheme using the custom template.
2. Specify the SiteMinder Kerberos Authentication Scheme library.
3. Select the parameter field and specify the following three values in same order delimited by a semicolon:
  - Server name and target fields.
  - Policy Server principal name from the Windows 2003 Kerberos realm.
  - Mapping between the user principal and an LDAP search filter.
  Sample parameter field:
```
http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TES.COM;(uid=%{UID})
```
Configure a policy domain.
Add a realm to protect a resource using the Authentication Scheme.
Add Rules and Policies to allow access for the user, testkrb.
Configure a Kerberos configuration file (krb5.ini) and place krb5.ini in Windows system root path:
- Configure the KDC for the Windows 2003 Kerberos realm (domain) to use the Windows 2003 domain controller.
- Configure krb5.ini to use the Windows 2003 KDC keytab file containing the Policy Server principal credentials.
  See the sample krb5.ini listed following.
```
[libdefaults]
default_realm = TEST.COM
default_keytab_name = C:\WINDOWS\krb5.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
TEST.COM = {
kdc = winkdc.test.com:88
default_domain = test.com        
}
[domain_realm]
.test.com = TEST.COM
```
Deploy the Windows KDC keytab file containing the Policy Server principal credentials to a secure location on the Policy Server.

The Policy Server on a Windows host is configured for Kerberos authentication.

Email CA Technologies about this topic