System Administrator Functions : Managing Security : Configuring Kerberos Authentication : Configuring Windows Server and Active Directory for Kerberos Authentication
Configuring Windows Server and Active Directory for Kerberos Authentication
Use the following procedure to configure Active Directory as the key distribution center (KDC) for Kerberos authentication on a Windows machine that hosts My webMethods Server.
To configure Active Directory as the key distribution center (KDC) for Kerberos authentication on Windows
1. Configure user accounts on Active Directory (AD). Do not select any encryption. The default encryption is RC4.
2. Create a keytab file to register the Service Principal Name (SPN) of the users. Create the keytab file, using the Ktpass tool as follows:
ktpass -out <Keytab_File_Name>.keytab -princ
HTTP/<FQDN_of_Active_Directory_Server>@<Domain_Name> -mapUser
 <FQDN_of_Active_Directory_Server>@<FQDN_of_MWS_Server_Machine> -mapop
set<MWS_Server_User_Password> -crypto all -ptype KRB5_NT_PRINCIPAL -kvno 0
The keytab file lists the SPN and encrypted passwords of each My webMethods Server user configured on KDC.
Consider the following example:
ktpass -out MWS_Kerberos_User.keytab -princ HTTP/VMHOSTNAME.SPARTA.RNDLAB.
LOC@SPARTA.RNDLAB.LOC
-mapUser Bob@SPARTA.RNDLAB.LOC
-mapOp set -pass pass12345 -crypto all
-pType KRB5_NT_PRINCIPAL -kvno 0
Where MWS_Kerberos_User is the keytab file, Bob is a user, and SPARTA.RNDLAB.LOC is the fully qualified domain name of the AD server.
3. Copy the new keytab file to any directory on the machine where My webMethods Server is installed.
4. Verify that the keytab file is created correctly by executing the following java command from <JAVA_INSTALL> /jre/bin:
kinit -J-Dsun.security.krb5.debug=true -k
  -t <Keytab_file_absolute_path> HTTP/<FQDN_of_Active_Directory_Server>
Copyright © 2004-2017 Software AG, Darmstadt, Germany. (Innovation Release)

Product LogoContact Support   |   Community   |   Feedback