4.1.6. Procedure – Enabling Kerberos authentication in AS

Complete the following steps to enable Kerberos authentication in Authentication Server using Windows Active Directory (AD) environment.

Steps: 

  1. In MC select Authentication Server > Instances > Edit.

  2. Select the GSSAPI/Kerberos5 checkbox at Methods section and provide the realm at Principal name field.

    Providing Kerberos realm

    Figure 4.14. Providing Kerberos realm

  3. Create the domain user in the Active Directory. Use the Principal name provided in the previous step.

    Creating the domain user

    Figure 4.15. Creating the domain user

  4. Start the Command Prompt in the Domain Controller with Administrator privileges.

  5. Run the following command:

    setspn -a http/ <username> <username>
    Running the command

    Figure 4.16. Running the command

  6. In the Active Directory window, select the user created in Step 3. and open the user’s Properties.

  7. A new Delegation tab is available now. Select the Trust this user for delegation to any service (Kerberos only) option. Click Apply.

    Authenticating a user

    Figure 4.17. Authenticating a user

  8. Switch to the Account tab in the Properties menu item. Select the This account supports Kerberos AES 256 bit encryption option and click OK to apply the setting.

    setting encryption

    Figure 4.18. setting encryption

  9. Install the Kerberos packages on the required server, for example on Authentication Agent.

    #:apt-get install krb5-user

  10. Provide the FQDN of the default realm during the installation process.

  11. Test Kerberos with the following commands. In the example the FQDN is BALASYS.DEMO.

    #:kinit svc_vas@BALASYS.DEMO
    #:klist -e
    #:kdestroy
  12. Set Kerberos with the following commands:

    #:ktutil
    ktutil:addent -password -p svc_vas@BALASYS.DEMO -k 1 -e aes256-cts-hmac-sha1-96
    ktutil:addent -password -p svc_vas@BALASYS.DEMO -k 2 -e aes256-cts-hmac-sha1-96
    ktutil:addent -password -p svc_vas@BALASYS.DEMO -k 3 -e aes256-cts-hmac-sha1-96
    ktutil:addent -password -p svc_vas@BALASYS.DEMO -k 4 -e aes256-cts-hmac-sha1-96
    ktutil:addent -password -p svc_vas@BALASYS.DEMO -k 5 -e aes256-cts-hmac-sha1-96
    ktutil:addent -password -p svc_vas@BALASYS.DEMO -k 6 -e aes256-cts-hmac-sha1-96
    ktutil:wkt /etc/krb5.keytab
    ktutil:exit
    #:chown vas /etc/krb5.keytab