Show TOC

Configuring KDCs for Legacy ModeLocate this document in the navigation structure

Procedure

  1. Create a service user to identify the AS Java instance on the KDC.

    Choose a naming convention for these users to help you identify them with their corresponding AS Java instances.

    Example

    If your instance is called JD1 and this instance resides on a host named hades, name the service user jee-jd1-hades.

    The service user represents an AS Java instance running on a specific host and must meet the following requirements:

    • The password of the service user must never expire.

      Recommendation

      Choose a strong password for the service user. For example, use a minimum length of 12 characters, with at least one digit, one special character, and one uppercase letter.

    • Enable Data Encryption Standard (DES) for this account.

  2. Register a Service Principal Name (SPN) for the fully qualified host name and each of the DNS aliases that you use to access the AS Java.
    Note

    When using a reverse proxy or an application-level gateway to access the AS Java, add an SPN for the physical host name and each DNS alias of the reverse proxy or application-level gateway. For this scenario, the Web client procures a Kerberos ticket from the KDC for the reverse proxy or application-level gateway host and not for the AS Java host.