5.2 Configuring Active Directory to Assign Kerberos Tickets

Complete the following sections to enable Active Directory to assign Kerberos tickets. When a user logs in to Active Directory, he or she is automatically issued a Kerberos ticket.

5.2.1 Installing the spn and ktpass Utilities

The spn and ktpass utilities must be installed on the Active Directory domain controller. These utilities are not installed by default. You need both of these utilities to configure the Access Manager Identity Server for Kerberos authentication.

  1. Insert the Windows 2003 disk into the CD drive.

  2. To install the utilities, run \SUPPORT\TOOLS\SUPTOOLS.MSI on the CD.

    The utilities are installed in C:\Program Files\Support Tools.

5.2.2 Creating a User Account in Active Directory for the Identity Server

Creating this account allows the Identity Server from Access Manager to run as a service.

  1. In the user management tool, using the following information to create the user account:

    firstname: Specify a name for the Identity Server.

    lastname: Specify a name for the Identity Server.

    userPrincipalName: Specify the userPrincipalName. The format is HTTP/your.idp.fqdn@YOUR.DOMAIN.

    For example: HTTP/amser.provo.novell.com@AD.NOVELL.COM

    samAccountName: Specify the samAccountName for the user. It consists of the firstname-lastname (required for the setspn utility).

    password: Specify a password for this user account.

    Deselect the option User must change password at next logon and select the option Password never expires. The user account needs a password, but it must never expire or be changed.

  2. Set the servicePrinicpalNames on the user object.

    1. From a command line, enter:

      setspn -a HTTP/amserv.provo.novell.com@AD.NOVELL.COM samAccountName

    2. From a command line, enter:

      setspn -a HTTP/amserv.provo.novell.com samAccountName

  3. Use the ktpass utility to export the keytab file. This sends the Kerberos token to the Identity Server instead of directly to the SAP Portal, to allow the single sign-on to occur.

    ktpass /out nidp.keytab /princ HTTP:///amserv.provo.novell.com@AD.NOVELL.COM /mapuser samAccountName@AD.NOVELL.COM /pass secret +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

  4. Copy the keytab file to jre directory on the Identity Server.

    • Linux: /opt/novell/java/jre/lib/security

    • Windows: C:\Program Files\Novell\jre\lib\security

5.2.3 Creating a Keytab File

The keytab file contains the secret encryption key that is used to decrypt the Kerberos ticket. You need to generate the keytab file and copy it to the Identity Server.

  1. On the Active Directory server, open a command window and enter a ktpass command with the following parameters:

    ktpass /out value /princ value /mapuser value /pass value

    The command parameters require the following values:

    Parameter

    Value

    Description

    /out

    <outputFilename>

    Specify a name for the file, with.keytab as the extension. For example: nidpkey.keytab

    /princ

    <servicePrincipalName> @<KERBEROS_REALM>

    Specify the service principal name for the Identity Server, then @, followed by Kerberos realm. The default value for the Kerberos realm is the Active Directory domain name in all capitals. The Kerberos realm value is case sensitive.

    /mapuser

    <identityServerUser>@<AD_DOMAIN>

    Specify the username of the Identity Server user and the Active Directory domain to which the user belongs.

    /pass

    <userPassword>

    Specify the password for this user.

    For this configuration example, you would enter the following command to create a keytab file named nidkey:

    ktpass /out nidkey.keytab /princ HTTP/amser.provo.novell.com@AD.NOVELL.COM /mapuser/ amser@AD.NOVELL /pass novell

  2. Copy the keytab file to the Identity Server.

    The default location for the keytab file on the Identity Server is:

    • Linux: /opt/novell/java/jre/lib/security

    • Windows: C:\Program Files\Novell\jre\lib\security