Configuring Kerberos

Kerberos requires configuration in Windows (KDC and Active Directory), the MSS Administrative Console, and your browser.

Configure KDC and Active Directory

To configure Windows Authentication - Kerberos authentication, these steps must first be done on the KDC:

• Create a Service Account
• Assign an SPN
• Create a keytab

Create a Service Account for your MSS deployment

1. Open Active Directory Users and Computers (Start | Administrative Tools | Active Directory Users and Computers).

2. Select the Active Directory domain in the menu on the left.

3. Select the New User action to display the New User wizard.

4. In the Full name field, type the name of your MSS deployment service account (such as my-mss-deployment).

5. In the User logon name field, type the name of your MSS deployment used in step 4.

6. Click Next.

7. Assign a password to this service account. Be sure to take note of this password because it will be needed later.

8. Uncheck User must change password at next logon.

9. Check Password never expires.

10. Click Next.

11. Click Finish.

Assign an SPN for the Cluster DNS to the Service Account

1. Open a command prompt with Administrator rights.

2. To verify no duplicate SPN entries exist, type the command setspn -X.

3. Type the command
   setspn -A HTTP/<fully-qualified-cluster-DNS> <service-account-name>

   Example: setspn -A HTTP/my-cluster-DNS.my-company.com my-mss-deployment

4. To verify the SPN was successfully added, type the command

   setspn -L <service-account-name>

For further help on the spn command, use the setspn /help command.

Create a Keytab for the Service Account to be used by MSS

1. Open a command prompt with Administrator rights.

2. Type the command

   ktpass -princ HTTP/<fully-qualified-cluster-DNS>@<active-directory-domain> -mapuser <service-account-name> -pass <service-account-password> -ptype KRB5_NT_PRINCIPAL -crypto ALL -out <service-account-name>.keytab

   Example:

   ktpass -princ HTTP/my-cluster-DNS.my-company.com@MYDOMAIN.COM -mapuser my-mss-deployment@MYDOMAIN.COM -pass password -ptype KRB5_NT_PRINCIPAL -crypto ALL -out my-mss-deployment.keytab

3. Make sure the keytab file that is created is available when configuring Windows Authentication - Kerberos in the MSS Administrative Console.

Update supported encryption types and delegation rights in the SPN

1. Open Active Directory Users and Computers (Start | Administrative Tools | Active Directory Users and Computers).

2. In the left menu, click the Active Directory domain to expand the tree.

3. In the list of containers, click Users.

4. Find the user that was created in step 5 of the Configure KDC and Active Directory section.

5. Right-click that user and click Properties.

6. Open the Account tab.

7. In the Account options dialog, scroll to the bottom of the options list.

   Locate and CHECK these two items:

   • This account supports Kerberos AES 128 bit encryption
   • This account supports Kerberos AES 256 bit encryption

   

   Note

   In the event a Kerberos Unsupported etype error is received, check "Do not require Kerberos preauthentication".
   For more information, see this Microsoft article.

8. Open the Delegation tab.

   Notice the default setting: Do not trust this user for delegation.

9. Click these two items:

   • Trust this user for delegation to specified services only
   • Use any authentication protocol

   

10. Add the service ldap for the LDAP server that will be used to assign users.

11. Click Apply and OK.

Settings in the MSS Administrative Console

After enabling Kerberos and configuring the KDC and Active Directory to generate the keytab file, you must configure Kerberos in the MSS Administrative Console. Follow these steps:

1. Be sure to enable OAuth to enable the Kerberos settings.

2. Navigate to Configure Settings - Authentication & Authorization and click Windows Authentication - Kerberos.

3. Select the desired Authorization method.

4. In the Kerberos Configuration section, enter the following:

   a. Realm - The name of your realm or domain name. For example, MYCOMPANY.COM.

   b. Service Principal Name (SPN) - The SPN created for your MSS instance. Enter the SPN using the indicated format: HTTP/<fully-qualified-cluster-DNS>@<REALM-NAME>.

   c. Key Distribution Center (KDC) - Specify the KDC or domain controller host name.

   d. Port - Enter the KDC port if different from the default of 88.

   e. Click IMPORT to upload the keytab file generated on the KDC. This file must be available on the system used to access the MSS Administrative Console.

   f. Click TEST CONNECTION to test that the KDC can be accessed.

5. In the LDAP Servers section, click ADD to configure the Active Directory used by the KDC.

   (See LDAP Configuration for further details).

6. Click Apply.

Configure your browser for Kerberos

To sign in using Kerberos, your browser must be configured correctly for Windows Authentication via Kerberos and your machine must be a member of the proper domain (Kerberos realm).

Consult your browser's Help for instructions on how to enable Kerberos.

Verify your Kerberos configuration

Now that your single MSS server is configured for Windows Authentication - Kerberos, it is a good idea to verify that the configuration is working correctly.

Steps to verify:

1. Use a client system that is a member of the Active Directory domain.

2. Log on to the client system using the credentials of a user that is a member of the Active Directory.

3. Be sure to Configure your browser for Kerberos.

4. Once configured for Kerberos, use that browser to access the url:

   https://<fully-qualified-cluster-dns>/osp/a/hc/auth/app

5. To verify your Kerberos configuration:

   When configured correctly, you should see that the user logged in to the client machine is logged in to the web application without being prompted for any credentials.

   When NOT configured correctly, you may see a prompt for credentials indicating that LDAP fallback has occurred, or you may encounter an error message. If this happens, see Troubleshooting Kerberos Configuration for assistance.