Setting up the Windows Server and Active Directory
Use this procedure to configure Active Directory (KDC) for Integrated Windows authentication using the RC4 encryption algorithm. In the same procedure, you can replace RC4 with any encryption algorithm of choice.
1. In the Active Directory management console:
a. To enable RC4 Kerberos encryption, ensure that the OneData users do not have any type of encryption selected.
b. Create a new client user group.
This is the unique client user group assigned to the OneData users who need to log in to OneData using SSO with Kerberos authentication.
c. Add the OneData users to the client user group.
Tip: | The name of the client user role should be the same as the name configured in the OneData web.xml security constraint. |
d. Create a new server user.
This user connects to the Key Distribution Center (KDC) from the Windows Server.
2. On the Windows Server machine, create a keytab file and a Service Principal Name (SPN) for the machine where OneData is installed as follows:
ktpass -out <Keytab_File_Name>.keytab -princ
HTTP/<FQDN_of_OneData_Server_Machine>@<Domain_Name> -mapUser
<Server_Username>@<Domain_Name> -mapOp set -pass
<Server_User_Password> -crypto all -ptype
KRB5_NT_PRINCIPAL -kvno 0
Note: | Ensure that you only create one SPN for each user. |
Example:
ktpass -out SERVER_USER.keytab -princ
HTTP/MCSERVER.DEV.RNDLAB.LOC@DEV.RNDLAB.LOC -mapUser
SERVER_USER@DEV.RNDLAB.LOC -mapOp set -pass SERVER_USERPASS -crypto all -pType
KRB5_NT_PRINCIPAL -kvno 0
3. Copy the keytab file to any preferred location on the Windows machine where OneData is installed.
Tip: | Make note of the absolute path of the keytab file location. |