Skip to content
CA Single Sign-On - 12.52 SP1
Documentation powered by DocOps

Policy Server Configuration for Kerberos Authentication

Last update March 11, 2016

The following illustration shows Policy Server configuration overview:

Policy Server Configuration for Kerberos

 

The following tasks are required to set up a Policy Server and configure a Kerberos authentication scheme. The configuration applies to Windows and UNIX; differences for each platform are noted.

Install and Configure the Policy Server

  1. Install and configure the Policy Server.
  2. Install and configure policy store directory services.
  3. Create a user directory.
  4. Create a user, for example, testkrb, in the user directory.

For details, see the Policy Server installation and configuration instructions.

Configure the Agent Configuration Object

The Agent Configuration Object (ACO) defines the configuration for the Web Agent. Configure the ACO at the Policy Server.

Follow these steps:

  1. Log in the Administrative UI.
  2. Click Infrastructure, Agent Configuration.
  3. Create an Agent or modify an existing Agent.
  4. Add the following three parameters to the ACO:
    • KCCExt
      Specifies a MIME type mapping for the Kerberos Credential Collector (KCC)
      Value: .kcc
    • SmpsServicePrincipal
      Specifies the Policy Server principal name.
      Example: smps@example.com
      The service principal name in the ACO is not a Kerberos name. It is a Generic Security Service API (GSS-API) name and has to be in the GSS-API format. Do not confuse this name with the Policy Server service principal name.
    • HttpServicePrincipal
      Specifies the web server principal name.
      Example: HTTP/www.example.com@EXAMPLE.COM

Set up a Kerberos Authentication Scheme

The authentication scheme gets assigned to resources that you want to protect with Kerberos authentication. This procedure assumes that you have a working Kerberos setup. 

Follow these steps:

  1. Log on to the Administrative UI.
  2. Select Infrastructure, Authentication.
  3. Click Authentication Schemes.

  4. Click Create Authentication Scheme.

  5. Verify that the Create a new object of type Authentication Scheme is selected and click OK.

  6. Enter a name.

  7. Enter a protection level. The default is 5.
  8. (Optional) Select Password policies enabled for this authentication scheme.
  9. Select Kerberos Authentication Template from the Authentication Scheme Type list.
  10. Specify values for the following settings for the authentication scheme.
    • Server Name: Specify the URL of the web server where the browser directs users for authentication.
      Example: www.example.com
    • Target: Specify the location of the Kerberos credential collector.
      Example: /siteminderagent/Kerberos/creds.kcc
    • SMPS Principal Namesmps/pserver.example.com@EXAMPLE.COM
    • User DN: Enter the user DN that lets the Policy Server look up a user in the user store.
      Example: (sAMAccountName=%{UID})
  11. (Optional) If you have more than one Windows domain, specify mappings between the Kerberos realm and Windows domains. You can map one Kerberos realm to many Windows domains. When you specify the DOMAIN variable in the User DN Lookup field, this mapping is required, even when the realm and domain names are the same.
  12. Click Submit.

The Kerberos authentication scheme is saved.

Establish an Access Policy for Users

Configure an access policy to authenticate users requesting a Kerberos-protected resource.

Follow these steps:

  1. Configure a policy domain.
  2. Add a realm to protect a resource and assign the authentication Kerberos authentication scheme to the realm.
  3. Add Rules and Policies to allow access for the users, In this example the user is testkrb.

For details, see instructions on configuring policies.

The Policy Server is configured to support Kerberos authentication.

Was this helpful?

Please log in to post comments.