Manage Kerberos Configuration
The Manage Kerberos Configuration task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration.
gateway90
The
Manage Kerberos Configuration
task displays information about your Windows Domain Login configuration (Kerberos). Use it to install a Kerberos keytab file and to verify your Kerberos configuration. Refer to the diagram in Configure the Gateway for Kerberos Token-Based Authentication to see where this task fits within the configuration workflow.
To manage Kerberos configuration
:- In the Policy Manager, select [Tasks] >Manage Kerberos Configurationfrom the Main Menu (on the browser client, from the Manage menu). The Kerberos Configuration dialog appears.
- The following table describes each setting and control in the configuration dialog.FieldDescriptionValidDisplays the status of the keytab:
- Yes= valid keytab file has been loaded
- No= no valid keytab file has been loaded
- "–" = a keytab file has been loaded, but not validated
SummarySummarizes the state of your Kerberos configuration. Message is one of:Keytab file not presentKeytab file is invalidAuthentication failedAuthentication successfulChecking configuration...Updating configuration...Automatically Validate KeytabSelect this check box to validate the keytab principal against the corresponding KDC. This validation occurs automatically whenever:- the Kerberos Configuration dialog is displayed
- a new keytab is loaded
Clear this check box to not automatically validate the keytab. In this case, no validation status or summary is displayed until you click [Validate Keytab].Keytab details:KDCKey Distribution CenterRealmIdentifier for the secured networkPrincipal NameService (Gateway cluster) identifierDateKeytab date, if availableVersionKeytab version number 1-XEncryptionKeytab algorithms (rc4-hmac, des-cbc-md5, etc.)Keytab configuration controls:[Load Keytab]Loads a keytab file directly into the Gateway database. Select the keytab file to upload, then click [OK] to confirm.If automatic validation is enabled, this keytab will be validated upon loading, otherwise you should use [Validate Keytab] to trigger a validation.For information on how to create the keytab file, see Using the Gateway in Windows Domain Login. If you are working with multiple principals, ensure that you select a keytab that has been configured with multiple principals.Ensure that you have a backup of the keytab file, as it cannot be downloaded once uploaded.Loading a keytab file here will overwrite any existing keytab file.[Delete Keytab]Removes the loaded keytab file. As deleting a keytab file is permanent and may have consequences, you must confirm by first selecting the To enable [OK] ... check box before you can click [OK].If you are simply replacing the keytab file with another one, you can use [Load Keytab] without needing to delete the old keytab first.[Validate Keytab]Validates the keytab against the corresponding KDC. The results are displayed in the Summary above. If the keytab is invalid, a message is displayed.You do not need to click [Validate Keytab] if theAutomatically Validate Keytabcheck box is selected. - Click [Close] when done. .
About the Default Realm and the krb5.conf File
When you load a keytab using the Manage Kerberos Configuration task, the Gateway automatically generates a
krb5.conf
file and places it in the following directory:/opt/SecureSpan/Gateway/node/default/var
The Gateway uses the first service principal in the keytab file as the default realm. For example, a keytab file contains the following service principals:
KVNO Principal---- ------------------------------------ 2 http/machine1.acmecorp.com@ACMECORP.COM 4 http/machine3.abccorp.sup@ABCCORP.SUP 3 http/machine4.sup.widgetcorp.sup@SUP.WIDGETCORP.SUP
Based on this example, "ACMECORP.COM" is listed as the default realm in the
krb5.conf
file. (1) You may edit the
krb5.conf
file manually if necessary. (2) The cluster properkerberos.krb5Config.overwrite
controls whether the Gateway overwrites an existing krb5.conf
file during Kerberos configuration.