Show TOC

Configuring Key Distribution CentersLocate this document in the navigation structure

Context

The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue the Kerberos Client/Server Session Ticket.

Procedure

  1. Create a service user to identify the AS Java instance on the KDC.

    Choose a naming convention for these users to help you identify them with their corresponding AS Java instances.

    For example, if your instance is called JD1 and this instance resides on a host named hades, name the service user jee-jd1-hades.

    The service user represents an AS Java instance running on a specific host and must meet the following requirements:

    • The password of the service user must never expire.

      Recommendation

      Choose a strong password for the service user. For example, use a minimum length of 12 characters, with at least one digit, one special character, and one uppercase letter.

    • Disable Data Encryption Standard (DES) for this account.

  2. Register a Service Principal Name (SPN) for the fully qualified host name and each of the DNS aliases that you use to access the AS Java.
    Note

    When using a reverse proxy or an application-level gateway to access the AS Java, add an SPN for the physical host name and each DNS alias of the reverse proxy or application-level gateway. For this scenario, the Web client procures a Kerberos ticket from the KDC for the reverse proxy or application-level gateway host and not for the AS Java host.

Example

The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 Domain Controller (DC) that uses an Active Directory Server (ADS) for a user store.

Assumptions

For the purpose of this example, assume the following:

  • KDC is a Microsoft Windows 2000 Active Directory Server

  • Windows domain name is IT.CUSTOMER.DE

  • Fully qualified host name of the AS Java is hades.customer.de

  • AS Java has an additional alias su3x24.customer.de

Configuration Steps on the DC

  1. Create a service user jee-jd1-hades.

  2. Enable the Password Never Expires option for this user.

  3. In the options for the user account, make sure the option Use DES encryption types for this account is deselected (it is deselected by default).

  4. Register service principal names (SPNs) for the service user jee-jd1-hades for the AS Java host name and all aliases. Make sure the SPNs are unique.

    This is done with the following command line:

    setspn -A HTTP/hades.customer.de jee-jd1-hades

    setspn -A HTTP/su3x24.customer.de jee-jd1-hades

    In this case both aliases hades.customer.de and su3x24.customer.de are registered as SPNs and associated with the AS Java service user on the Windows DC.

    To check the result of the configuration, enter the following command line for each SPN you registered:

    ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf

    The output of this command ( out.ldf ) is one entry, which points to the previously created service user ( jee-jd1-hades ).