You must create a new user in Active Directory for the Identity Server, set up this user account to be a service principal, create a keytab file, and add the Identity Server to the Forward Lookup Zone. These tasks are described in the following sections:
When you install Windows Server 2003 and Active Directory, the spn and ktpass utilities are not installed in a default installation. These utilities are installed in a default Windows Server 2008 installation.
You need the spn and ktpass utilities to configure the Identity Server for Kerberos authentication.
Insert the Windows 2003 CD into the CD drive.
To install the utilities, run \SUPPORT\TOOLS\SUPTOOLS.MSI on the CD.
The utilities are installed in C:\Program Files\Support Tools.
In on your Windows server, select the option.
Select to create a new user.
Fill in the following fields:
First name: Specify the hostname of the Identity Server. This is the username. For the example configuration, this is amser.
User logon name: Specify HTTP/<Identity_Server_Base_URL>. For this example configuration, your Identity Server has a base URL of amser.provo.novell.com, and you would specify the following for the :
HTTP/amser.provo.novell.com
The realm is displayed next to the .
User logon name (pre Windows 2000): Specify the hostname of the Identity Server. The default value must be modified. For the example configuration, this is amser.
Click , and configure the password and its options:
Password: Specify a password for this user
Confirm password: Enter the same password.
User must change password at next logon: Deselect this option.
Password never expires: Select this option.
Click , then click .
This creates the Identity Server user. You need to remember the values you assigned to this user for and .
To set the servicePrincipalName (spn) attribute on this user, open a command window and enter the following command:
setspn -A HTTP/<userLogonName> <userName>
For this configuration example, you would enter the following command:
setspn -A HTTP/amser.provo.novell.com@REALM.NOVELL.COM amser
This adds the servicePrincipalName attribute to the user specified with the value specified in the -A parameter.
(Optional) Verify that the user has the required servicePrincipalName attribute with a valid value. Enter the following command:
setspn -L <userName>
For this configuration example, you would enter the following command:
setspn -L amser
The keytab file contains the secret encryption key that is used to decrypt the Kerberos ticket. You need to generate the keytab file and copy it to the Identity Server.
On the Active Directory server, open a command window and enter a ktpass command with the following parameters:
ktpass /out value /princ value /mapuser value /pass value
The command parameters require the following values:
For this configuration example, you would enter the following command to create a keytab file named nidpkey:
ktpass /out nidpkey.keytab /princ HTTP/amser.provo.novell.com@AD. NOVELL.COM /mapuser amser@AD.NOVELL.COM /pass novell
Copy the keytab file to the Identity Server.
Copy the file to the default location on the Identity Server:
Linux: /opt/novell/java/jre/lib/security
Windows Server 2003: C:\Program Files\Novell\jre\lib\security
Windows Server 2008: C:\Program Files (x86)\Novell\jre\lib\security
If the cluster contains multiple Identity Servers, copy the keytab file to each member of the cluster.
In on your Windows server, click.
Click .
Click the Active Directory domain.
In the right pane, right click, and select .
Fill in the following fields:
Name: Specify the hostname of the Identity Server.
IP Address: Specify the IP address of the Identity Server.
Click .