The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue the Kerberos Client/Server Session Ticket.
The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 Domain Controller (DC) that uses an Active Directory Server (ADS) for a user store.
AssumptionsFor the purpose of this example, assume the following:
KDC is a Microsoft Windows 2000 Active Directory Server
Windows domain name is IT.CUSTOMER.DE
Fully qualified host name of the AS Java is hades.customer.de
AS Java has an additional alias su3x24.customer.de
Create a service user jee-jd1-hades.
Enable the Password Never Expires option for this user.
In the options for the user account, make sure the option Use DES encryption types for this account is deselected (it is deselected by default).
Register service principal names (SPNs) for the service user jee-jd1-hades for the AS Java host name and all aliases. Make sure the SPNs are unique.
This is done with the following command line:
setspn -A HTTP/hades.customer.de jee-jd1-hades
setspn -A HTTP/su3x24.customer.de jee-jd1-hades
In this case both aliases hades.customer.de and su3x24.customer.de are registered as SPNs and associated with the AS Java service user on the Windows DC.
To check the result of the configuration, enter the following command line for each SPN you registered:
ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf
The output of this command ( out.ldf ) is one entry, which points to the previously created service user ( jee-jd1-hades ).