You can use Kerberos as an authentication method for the identity applications that allows single sign-on (SSO). This also allows users to use Integrated Windows Authentication to log in to the applications. This section provides instructions for configuring Active Directory to use Kerberos for connecting to the identity applications:
Use the Active Directory administration tools to configure Active Directory for Kerberos authentication. You need to create a new Active Directory user account for Identity Governance and Identity Reporting. If Identity Governance and Identity Reporting are not on the same server, you must create two accounts. The user account name must use the DNS name of the server that hosts Identity Governance or Identity Reporting.
NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.
As an Administrator in Active Directory, use the Microsoft Management Console (MMC) to create a new user account with the DNS name of the server that hosts Identity Governance or Identity Reporting.
For example, if the DNS name of the server is idgov.mycompany.com, use the following information to create the user:
First name: idgov
User login name: HTTP/idgov.mycompany.com
Pre-windows logon name: idgov
Set password: Specify the appropriate password. For example: Passw0rd.
Password never expires: Select this option.
User must change password at next logon: Do not select this option.
Associate the new user with the Service Principal Name (SPN).
In the Active Directory server, open a cmd shell.
At the command prompt, enter the following:
setspn -A HTTP/DNS_Identity_Governance_server@WINDOWS-DOMAIN userID
For example:
setspn -A HTTP/idgov.mycompany.com@MYCOMPANY.COM idgov
Verify setspn by entering setspn -L userID.
To generate the keytab file, use the ktpass utility:
At the command line prompt, enter the following:
ktpass /out filename.keytab /princ servicePrincipalName /mapuser userPrincipalName /mapop set /pass password /crypto ALL /ptype KRB5_NT_PRINCIPAL
For example:
ktpass /out idgov.keytab /princ HTTP/identity-governance.mycompany.com@MYCOMPANY.COM /mapuser idgov /mapop set /pass Passw0rd /crypto All /ptype KRB5_NT_PRINCIPAL
IMPORTANT:For domain or realm references, use uppercase format. For example, @MYCOMPANY.COM.
Copy the rbpm.keytab file to your Identity Governance server.
An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.
The end user account name has to match some attribute value of an eDirectory user in order to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.
(Optional) Repeat these steps for Identity Reporting if you installed the reporting component on a separate server.
Configure the server for Identity Governance or the server for Identity Reporting to accept the Kerberos configuration by proceeding to Section 9.4.2, Configuring the Identity Governance Server and the Identity Reporting Server.
You must configure your Identity Governance server and the Identity Reporting server to use the Kerberos keytab file and the user account that you have created in Active Directory. Ensure that you complete Section 9.4.1, Configuring the Kerberos User Account in Active Directory before proceeding.
NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.
To define your operating system settings for the Kerberos configuration, complete the following steps:
Open the krb5 file in a text editor on the Identity Governance server.
Linux: /etc/krb5.conf
Windows: C:\Windows\krb5.ini
Add the following information to the krb5 file:
[libdefaults]
default_realm = WINDOWS-DOMAIN
kdc_timesync = 0
forwardable = true
proxiable = false
[realms]
WINDOWS-DOMAIN = {
kdc = FQDN Active Directory Server
admin_server = FQDN Active Directory Server
}
[domain_realm]
.your.domain = WINDOWS-DOMAIN
your.domain = WINDOWS-DOMAIN
For example:
[libdefaults]
default_realm = MYCOMPANY.COM
kdc_timesync = 0
forwardable = true
proxiable = false
[realms]
MYCOMPANY.COM = {
kdc = myadserver.mycompany.com
admin_server = myadserver.mycompany.com
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COMSave the changes and close the krb5 file.
To define the Kerberos configuration information for Apache Tomcat, complete the following steps:
Create a sample Kerberos_login.config file on the Identity Governance server where the Apache Tomcat instance is running with the following content:
NOTE:The novlua user needs permissions to create the Kerberos_login.config file.
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
refreshKrb5Config="true"
useTicketCache="true"
ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/DNS_Identity_Governance_server@WINDOWS-DOMAIN"
useKeyTab="true"
keyTab="/absolute_path/filename.keytab"
storeKey="true";
};
An example on a Windows server is as follows:
keyTab="c:\\NetIQ\\IdentityGoverance\\apps\\tomcat\\kerberos\\rbpm.keytab"
In the file, specify values for principal and keyTab. For example:
principal="HTTP/idgov.mycompany.com@MYCOMPANY.COM" keyTab="/home/usr/rbpm.keytab"
The value for principal must match the same value that you specified for Kerberos. For more information, see Step 3.
Provide the absolute path of the keytab file on your Identity Governance server. The file does not have to reside in the default directory for Identity Governance.
Refer to the Kerberos_login.config file in JVM java.security file with the following line:
login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config
The path listed is the default installation location for a Linux server.
An example of the java.security file on a Windows server is as follows:
login.config.url.1=file:c:/NetIQ/IdentityManager/apps/tomcat/kerberos/Kerberos_login.config
To specify the authentication method in the Identity Governance Configuration utility, complete the following steps:
Launch the Identity Governance Configuration Update utility on the Identity Governance server. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the Authentication tab.
At the end of the page, click Show Advanced Options.
Under Authentication Method > Method select Kerberos.
In the Mapping attribute name field, specify cn.
Select any of the following options that apply to your environment:
Enable fallback reCAPTCHA and provided the additional required information. For more information, see Section 8.2.5, Configuring OSP to Use Google reCAPTCHA.
Enable fallback two-factor authentication
Use logout landing page
Click OK to save the changes.
Restart Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
(Optional) Repeat these steps for Identity Reporting if you installed it on a separate server.
Configure the browsers that end-users use to access the identity applications. For more information, see Section 9.4.3, Configure the End-User Browsers to Use Integrated Windows Authentication.
The browsers that your end-users use to access Identity Governance and Identity Reporting also need to be configured for Integrated Windows Authentication. This section provides instructions for configuring an end-user computer to support single sign-on access using Integrated Windows Authentication.
NOTE:You must perform this procedure for each end-user computer where you want to provide single sign-on access to Identity Governance and Identity Reporting.
Log in to the computer where users need single sign-on access.
Open the Internet options control panel.
Click Security.
Click Trusted Sites > Sites.
Add the DNS name of the Identity Governance and Identity Reporting server.
For example: idgov.mycompany.com
Click Add, then click Close.
Click Custom level....
Under User Authentication, select Automatic logon with current user name and password.
Click OK.
In Internet Options, click Advanced.
Under Security, select Enable Integrated Windows Authentication.
Repeat this procedure for each end-user computer where you want to provide single sign-on access to Identity Governance and Identity Reporting.