5.5 Kerberos Authentication

This section provides instructions for configuring Sentinel to work with Kerberos authentication.

Before you continue, ensure that you have met all prerequisites. For more information, see Prerequisites for MFA, Kerberos, and OAuth.

NOTE:Before you continue, ensure that you have read the enablement considerations and met all prerequisites. For more information, see Enablement Considerations and Prerequisites for MFA, Kerberos, and OAuth.

5.5.1 Configuring the Sentinel Server for Kerberos Authentication

To use Kerberos authentication in Sentinel, you must complete the following steps on the Sentinel server.

  1. Log in to the Sentinel server as the novell user.

  2. Go to the /etc/opt/novell/sentinel/config directory and complete the following steps:

    1. Open the osp-configuration.properties file.

    2. Add the following properties:

      com.netiq.sentinel.osp.krb.enabled=true

      com.netiq.sentinel.osp.login.method=krb

5.5.2 Configuring the Kerberos User Account in Active Directory

To use Kerberos authentication in Sentinel, you need to create a new Active Directory user account for the Sentinel server. The user account name must use the DNS name of the Sentinel server. Use the Active Directory administration tools to configure Active Directory for Kerberos authentication.

NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.

  1. As an Administrator in Active Directory, use the Microsoft Management Console (MMC) to create a new user account with the DNS name of the Sentinel server.

    For example, if the DNS name of the Sentinel server is rbpm.mycompany.com, ensure the following:

    First name: rbpm

    User logon name: HTTP_rbpm.mycompany.com

    NOTE:The slash character ( / ) is not supported during user creation. After you save the user account, edit the user account and replace / with an underscore ( _ ).

    Pre-windows logon name: rbpm

    Set password: Specify the appropriate password

    Password never expires: TRUE

    User must change password at next logon: FALSE

    This account supports Kerberos AES 128 bit encryption: TRUE

    This account supports Kerberos AES 256 bit encryption: TRUE

    Do not require Kerberos preauthentication: TRUE

  2. To associate the new user with the Service Principal Name (SPN), complete the following steps:

    1. Open a cmd shell.

    2. Run the following command:

      setspn -A HTTP/DNS_Sentinel_server@WINDOWS-DOMAIN userID

      For example: 

      setspn -A HTTP/rbpm.mycompany.com@MYCOMPANY.COM rbpm

  3. To generate the keytab file, complete the following steps:

    1. At the command prompt, enter the following:

      ktpass /out filename.keytab /princ servicePrincipalName /mapuser userPrincipalName /pass password /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL

      For example: 

                          ktpass /out rbpm.keytab /princ HTTP/rbpm.mycompany.com@MYCOMPANY.COM /mapuser rbpm /pass Passw0rd /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL

      IMPORTANT:For domain or realm references, use uppercase format. For example, @MYCOMPANY.COM.

    2. Copy the filename.keytab file to the /etc/opt/novell/sentinel/config directory on the Sentinel server, and then change the file permission to novell.

  4. Log in to the Sentinel server as the novel user.

  5. Go to the /etc/opt/novell/sentinel/config directory and create krb5.conf.

  6. Open krb5.conf and add the following:

    # Default Kerberos Realm
[libdefaults]
default_realm = <WINDOWS-DOMAIN>
kdc_timeout = 15000
max_retries = 2
udp_preference_limit = 1
admin_server = <DomainControllerIPAddress>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

# Define Kerberos Realms. Each realm needs to be in its own section
[realms]
<WINDOWS-DOMAIN> = {
kdc = <DomainControllerIPAddress>
}
# Define Domain to Kerberos Realm mapping for each realm
[domain_realm]
<Windows-Domain> = <WINDOWS-DOMAIN>
# Logging
[logging]
kdc = FILE:/home/novell/kdc.log
admin_server = FILE:/home/novell/admin.log
default = SYSLOG:NOTICE:DAEMON

  7. In the /etc/opt/novell/sentinel/config directory, open the auth.login file and add the following entry:

    com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
refreshKrb5Config="true"
doNotPrompt="true"
principal="HTTP/<DNS_Sentinel_server>@<WINDOWS-DOMAIN>"
useKeyTab="true"
keyTab="/etc/opt/novell/sentinel/config/<filename>.keytab"
useTicketCache="false"
storeKey="true";
};

  8. To enable AES256 in your Java Runtime Environment, complete the following steps:

    1. Download Java Cryptography Extension (JCE) 8 from the following location:

      http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

    2. Extract the two *.jar files and copy them to the /opt/novell/sentinel/jdk/jre/lib/security directory.

    3. (Conditional) If you are running Sentinel in an HA environment, repeat these steps on all nodes in the cluster.

  9. (Optional) To enable debug logs for troubleshooting, complete the following steps:

    1. In the /etc/opt/novell/sentinel/config directory, open the server.conf file.

    2. Ensure the following:

      • wrapper.java.additional.50=-Dsun.security.krb5.debug=true

      • com.netiq.sentinel.osp.logging.level=ALL

  10. Ensure that user mapping are correct between AD, LDAP, and Sentinel.

  11. Restart the Sentinel server:

    rcsentinel restart

  12. (Conditional) If you are running Sentinel in an HA environment, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v

5.5.3 Configuring Browsers to Use Integrated Windows Authentication

To use Kerberos authentication in Sentinel, any browser you use to access Sentinel must use Integrated Windows Authentication.

NOTE:You must perform this procedure for each user’s computer.

Internet Explorer

  1. In the Internet Options dialog box, click Security.

  2. Click Trusted Sites > Sites.

  3. Add the DNS name of the Sentinel server.

    For example: https://rbpm.mycompany.com

  4. Click Add, then click Close.

  5. Click Custom level.

  6. Under User Authentication, select Automatic logon with current user name and password.

  7. Click OK.

  8. Repeat this procedure for each end-user computer.

Mozilla Firefox

  1. In the browser’s address field, type about:config.

  2. Set the Value of the following Preferences to the Windows domain name, such as .mycompany.com:

    • network.automatic-ntlm-auth.trusted-uris

    • network.negotiate-auth.trusted-uris

  3. Repeat this procedure for each end-user computer.

Google Chrome

  1. Go to Settings, and then click Show advanced settings.

  2. Under Network, click Change proxy settings.

  3. In the Internet Properties dialog box, click Security.

  4. Click Trusted Sites > Sites.

  5. Add the DNS name of the Sentinel server.

    For example: https://rbpm.mycompany.com

  6. Click Add, then click Close.

  7. Click Custom level.

  8. Under User Authentication, select Automatic logon with current user name and password.

  9. Click OK.

  10. Repeat this procedure for each end-user computer.