5.2 Configuring Active Directory

You must create a new user in Active Directory for the Identity Server, set up this user account to be a service principal, create a keytab file, and add the Identity Server to the Forward Lookup Zone. These tasks are described in the following sections:

5.2.1 Installing the spn and the ktpass Utilities for Windows Server 2003

When you install Windows Server 2003 and Active Directory, the spn and ktpass utilities are not installed in a default installation. These utilities are installed in a default Windows Server 2008 installation.

You need the spn and ktpass utilities to configure the Identity Server for Kerberos authentication.

  1. Insert the Windows 2003 CD into the CD drive.

  2. To install the utilities, run \SUPPORT\TOOLS\SUPTOOLS.MSI on the CD.

    The utilities are installed in C:\Program Files\Support Tools.

5.2.2 Creating and Configuring the User Account for the Identity Server

  1. In Manage Your Server on your Windows server, select the Manage users and computers in Active Directory option.

  2. Select to create a new user.

  3. Fill in the following fields:

    First name: Specify the hostname of the Identity Server. This is the username. For the example configuration, this is amser.

    User logon name: Specify HTTP/<Identity_Server_Base_URL>. For this example configuration, your Identity Server has a base URL of amser.provo.novell.com, and you would specify the following for the User Logon Name:

    HTTP/amser.provo.novell.com
    

    The realm is displayed next to the User logon name.

    User logon name (pre Windows 2000): Specify the hostname of the Identity Server. The default value must be modified. For the example configuration, this is amser.

  4. Click Next, and configure the password and its options:

    Password: Specify a password for this user

    Confirm password: Enter the same password.

    User must change password at next logon: Deselect this option.

    Password never expires: Select this option.

  5. Click Next, then click Finish.

    This creates the Identity Server user. You need to remember the values you assigned to this user for First name and User logon name.

  6. To set the servicePrincipalName (spn) attribute on this user, open a command window and enter the following commands:

    setspn -A HTTP/<userLogonName> <userName>

    setspn -A HOST/<userLogonName> <userName>

    For this configuration example, you would enter the following command:

    setspn -A HTTP/amser.provo.novell.com@AD.NOVELL.COM amser

    This adds the servicePrincipalName attribute to the user specified with the value specified in the -A parameter.

  7. (Optional) Verify that the user has the required servicePrincipalName attribute with a valid value. Enter the following command:

    setspn -L <userName>
    

    For this configuration example, you would enter the following command:

    setspn -L amser
    

5.2.3 Configuring the Keytab File

The keytab file contains the secret encryption key that is used to decrypt the Kerberos ticket. You need to generate the keytab file and copy it to the Identity Server.

  1. On the Active Directory server, open a command window and enter a ktpass command with the following parameters:

    ktpass /out value /princ value /mapuser value /pass value
    

    The command parameters require the following values:

    Parameter

    Value

    Description

    /out

    <outputFilename>

    Specify a name for the file, with .keytab as the extension. For example: nidpkey.keytab

    /princ

    <servicePrincipalName> @<KERBEROS_REALM>

    Specify the service principal name for the Identity Server, then @, followed by the Kerberos realm. The default value for the Kerberos realm is the Active Directory domain name in all capitals. The Kerberos realm value is case sensitive.

    /mapuser

    <identityServerUser>@<AD_DOMAIN>

    Specify the username of the Identity Server user and the Active Directory domain to which the user belongs.

    /pass

    <userPassword>

    Specify the password for this user.

    For this configuration example, you would enter the following command to create a keytab file named nidpkey:

    ktpass /out nidpkey.keytab /princ HTTP/amser.provo.novell.com@AD.
    NOVELL.COM /mapuser amser@AD.NOVELL.COM /pass novell
    
  2. Copy the keytab file to the Identity Server.

    Copy the file to the default location on the Identity Server:

    Linux: /opt/novell/java/jre/lib/security

    Windows Server 2003: C:\Program Files\Novell\jre\lib\security

    Windows Server 2008: C:\Program Files (x86)\Novell\jre\lib\security

  3. If the cluster contains multiple Identity Servers, copy the keytab file to each member of the cluster.

5.2.4 Adding the Identity Server to the Forward Lookup Zone

  1. In Manage Your Server on your Windows server, click Manage this DNS server.

  2. Click Forward Lookup Zone.

  3. Click the Active Directory domain.

  4. In the right pane, right click, and select New Host (A).

  5. Fill in the following fields:

    Name: Specify the hostname of the Identity Server.

    IP Address: Specify the IP address of the Identity Server.

  6. Click Add Host.