Policy Server GuidesPolicy Design GuideSiteMinder Kerberos AuthenticationHow To Configure SiteMinder Kerberos Authentication › Configure a Kerberos Authentication Scheme

Previous Topic: Kerberos Authentication Configuration at the Windows Workstation

Next Topic: Configure Kerberos External Realm on Windows Host
Configure a Kerberos Authentication Scheme

A custom authentication scheme is required to support Kerberos authentication in the SIteMinder environment.

To configure a Kerberos authentication scheme

  1. Log in to the Policy Server User Interface.

    Note: When you create or modify a Policy Server object in the Policy Server User Interface, use ASCII characters. Object creation or modification with non-ASCII characters is not supported.

  2. Select the System tab.

    A list of system-related objects appears.

  3. Right-click Authentication Schemes and click Create Authentication Scheme.

    The Authentication Scheme Properties dialog appears.

  4. Select Custom Template from the Authentication Scheme Type list.

    Custom Template settings appear.

  5. Enter smauthkerberos in the Library field.
  6. Enter the following values in the Parameter field. Enter the values in the order listed below delimited by a semicolon:
    1. The name of the machine hosting web server and target fields
    2. The Policy Server principal name from the Kerberos domain
    3. The mapping between user principl and the user store search filter

    LDAP Example 1: http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TEST.COM;(uid=%{UID})

    LDAP Example 2: http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TEST.COM;(uid=%{UID})

    AD Example 1: http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TEST.COM;(cn=%{UID})

    AD Example 2: http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TEST.COM;(cn=%{UID})

    ODBC Example 1: http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TEST.COM;%{UID}

    ODBC Example 2: http://win2k3iis6.test.com/siteminderagent/Kerberos/creds.kcc;smps/win2kps.test.com@TEST.COM;%{UID}

  7. Click OK.

    The Kerberos Authentication scheme is saved and appears in the Authentication Scheme List.

    Associate this authentication scheme with any realm whose protected resources use Kerberos authentication.