Creating the Authentication Class, Method, and Contract

Ensure that Prerequisites for Configuring Kerberos Authentication are met.

  1. In the Local page, click Classes > New.

  2. Specify the following details:

    Display name: Specify a name that you can use to identify this class.

    Java class: Select KerberosClass.

  3. Click Next.

  4. Specify the following details:

    Field

    Description

    Service Principal Name (SPN)

    Specify the value of the servicePrincipalName attribute of the Identity Server user.

    For this example configuration, this is HTTP/amser.nam.example.com.

    Kerberos Realm

    Specify the name of the Kerberos realm. The default value for this realm is the domain name of the Active Directory server, entered in all capitals. The value in this field is case-sensitive.

    For this example configuration, this is AD.EXAMPLE.COM.

    JAAS config file for Kerberos

    Verify the default path. This must be the same path to which you copied the keytab file (see Step 2 in Configuring the Keytab File) and end with the name of the configuration file, bcsLogin.conf.

    See Creating the bcsLogin Configuration File.

    Kerberos KDC

    Specify the IP address of KDC. If multiple KDCs are present for fail-over support, then specify the IP addresses separated by colon (:). You can configure up to four IP addresses.

    If a L4 switch is configured for load balancing among KDCs, then specify the virtual IP address of the L4 switch in this field.

    User Attribute

    Specify the name of the Active Directory attribute that combines the cn of the user with the DNS domain name to form its value.

    It is an alternate name for user login. Accept the default value unless you have set up a different attribute.

  5. (Conditional) If you have configured your users to have multiple User Principal Names (UPN) so they can log in using different names (such as jdoe@abc.com, jdoe@bcd.com, and jdoe@cde.com), click New, specify the suffix (such as @abc.com), then click OK.

  6. Click Finish.

    IMPORTANT:You must create only one Kerberos class. This is caused by a limitation in the underlying Sun JGSS.

  7. On the Local page, click Methods > New.

  8. Specify the following details:

    Field

    Description

    Display name

    Specify a name that you can use to identify this method.

    Class

    Select the class that you created for Kerberos.

    User stores

    Move the Active Directory user store to the list of User stores.

    If you have only one installed user store, <Default User Store> can be used.

    If you have multiple user stores, Active Directory must be in this list (or if it is configured to be the default user store, <Default User Store> must be in this list).

    NOTE:The testing procedure to verify Kerberos authentication depends on whether Active Directory is configured as the default user store. See Step 13.

    You can configure the following properties to be added to method configuration while using Kerberos Class for PAC support:

    • PacAvailable- The default value for PacAvailable is false. If the PacAvailable is set to true, then IDP will try to fetch and resolve the PAC/Group's Object SID (For example, S-1-5-21-984308178-4145981665-1136610315-1134) from the Kerberos ticket.

    • ResolvedGroupNames - The default value for ResolvedGroupNames is false. If the ResolvedGroupNames is set to true, then IDP will try to resolve the PAC/Groups Object SID(s) to a group name (For example, TempSecurityGroup2) via LDAP calls to the AD, based on the user store settings. If the user store directory is not an Active Directory, then the Object SIDs of the PAC will not be resolved, and the object SIDs are just stored.

    • ExtendedParameter - This is configured by the admin. If there is no value configured for the ExtendedParameter property, then the default value KerbPACGroups is considered if the property is not added. The ExtendedParameter property is used to define the External Parameter Risk Rule.

    For instance, based on the group name’s availability in the ExtendedParameter property, the risk policies can be configured. The user is authenticated in case of low risk. In case of high risk, a step-up method is followed. The ExtendedParameter defined in the Kerberos method is used to store the Kerberos PAC info. This parameter is used in ExtendedParameter RBA Rule to check the availability of the PAC for the user.

    NOTE:Kerberos PAC enhancement leverages RBA Post Authentication Scenario.

  9. Click Finish.

  10. In the Local page, click Contracts > New.

  11. Specify the following details:

    Field

    Description

    Display name

    Specify a name that you can use to identify this method.

    URI

    Specify a value that uniquely identifies the contract from all other contracts.

    Methods

    From the list of Available methods, move your Kerberos method to Methods.

    You do not need to configure other contract options.

  12. Click Finish.

  13. (Optional) To use the procedure that verifies the authentication configuration, make the Active Directory user store as the default user store.

    1. In the Local page, click Defaults.

    2. Specify the following details:

      User Store: Select the name of your Active Directory user store.

      Authentication Contract: Select the name of your Kerberos contract.

    3. Click OK.

      This allows you to log in directly to Identity Server by using the Kerberos contract. If you have already logged in to the Active Directory domain on the Windows machine, single sign-on is enabled and you are not prompted to log in to Identity Server.

  14. On the Identity Servers page, click Update.

    Wait until the Health icon turns green. Click Refresh to update the page.

  15. If you want to configure Access Gateways to use the Kerberos contract, update these devices so that the Kerberos contract is available.

  16. Continue with Creating the bcsLogin Configuration File.