Setting up Windows Server and Active Directory for Kerberos Authentication
Use the following procedure to configure Active Directory as the key distribution center (KDC) for Kerberos authentication on Windows machine that hosts My webMethods Server.
1. Configure user accounts on Active Directory (AD). Do not select any encryption. The default encryption is RC4.
2. Create a keytab file to register the Service Principal Name (SPN) of the users. Create keytab file using the Ktpass tool as follows:
ktpass -out <Keytab_File_Name>.keytab -princ
HTTP/<FQDN_of_Active_Directory_Server>@<Domain_Name> -mapUser
<FQDN_of_Active_Directory_Server>@<FQDN_of_MWS_Server_Machine> -mapop
set<MWS_Server_User_Password> -crypto all -ptype KRB5_NT_PRINCIPAL -kvno 0
The keytab file lists the SPN and the encrypted passwords of each My webMethods Server user configured on KDC.
Example:
ktpass -out MWS_Kerberos_User.keytab -princ HTTP/VMHOSTNAME.SPARTA.RNDLAB.
LOC@SPARTA.RNDLAB.LOC
-mapUser Bob@SPARTA.RNDLAB.LOC
-mapOp set -pass pass12345 -crypto all
-pType KRB5_NT_PRINCIPAL -kvno 0
Where MWS_Kerberos_User is the keytab file, Bob is a user, and SPARTA.RNDLAB.LOC is the fully qualified domain name of the AD server.
3. Copy the new keytab file to any directory on the machine where My webMethods Server is installed.
4. Verify if the keytab file is created correctly by executing the following java command from <JAVA_INSTALL> /jre/bin:
kinit -J-Dsun.security.krb5.debug=true -k
-t <Keytab_file_absolute_path> HTTP/<FQDN_of_Active_Directory_Server>
Contact Support
|
Community
|
Feedback