38.1 Configuring the Kerberos User Account in Active Directory

Use the Active Directory administration tools to configure Active DIrectory for Kerberos authentication. You need to create a new Active Directory user account for the identity applications and identity reporting. The user account name must use the DNS name of the server that hosts the identity applications and identity reporting.

NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.

  1. As an Administrator in Active Directory, use the Microsoft Management Console (MMC) to create a new user account with the DNS name of the server that hosts the identity applications.

    For example, if the DNS name of the identity applications server is rbpm.mycompany.com, use the following information to create the user:

    First name: rbpm

    User login name: HTTP/rbpm.mycompany.com

    Pre-windows logon name: rbpm

    Set password: Specify the appropriate password. For example: Passw0rd.

    Password never expires: Select this option.

    User must change password at next logon: Do not select this option.

  2. Associate the new user with the Service Principal Name (SPN).

    1. In the Active Directory server, open a cmd shell.

    2. At the command prompt, enter the following:

      setspn -A HTTP/DNS_Identity_Applications_server@WINDOWS-DOMAIN userID 

      For example:

      setspn -A HTTP/rbpm.mycompany.com@MYCOMPANY.COM rbpm
    3. Verify setspn by entering setspn -L userID.

  3. To generate the keytab file, use the ktpass utility:

    1. At the command line prompt, enter the following:

      ktpass /out filename.keytab /princ servicePrincipalName /mapuser userPrincipalName /mapop set /pass password /crypto ALL /ptype KRB5_NT_PRINCIPAL

      For example:

                        ktpass /out rbpm.keytab /princ HTTP/rbpm.mycompany.com@MYCOMPANY.COM /mapuser rbpm  /mapop set /pass Passw0rd /crypto All /ptype KRB5_NT_PRINCIPAL
                      

      IMPORTANT:For domain or realm references, use uppercase format. For example, @MYCOMPANY.COM.

    2. Copy the rbpm.keytab file to your identity applications server.

  4. An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.

    The end user account name has to match some attribute value of an eDirectory user in order to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.

  5. (Optional) Repeat these steps for Identity Reporting if you installed the reporting component on a separate server.

  6. Configure the server for the identity applications to accept the Kerberos configuration. For more information, see Configuring the Identity Applications Server.