...
- Create a normal domain user (used by Apache Tomcat to identify for Kerberos methos), "custoKerberos" . This creation has to be done by Domain-Administrator of the customer.
- Create a keytab-File - this file contains combines the use of Apache Tomcat ("Service Principal Name") to the user created above. This creation has to be done by Domain-Administrator of the customer.
- Configure Apache Tomcat to use the kerberos configuration
- Enable Kerberos Identification in custo service center.
The first two steps has to be performed by an domain administrator.
Create Domain User for Apache Tomcat
...
Create a normal domain user - in our example "custoKerberos". This user does not have to have specific access rights - but it must be able to authenticate/login with this user to the Windows Domain.
In our example we name the user "custoKerberos", password "secretPW!" (← don't take it in real life). the only membership is "Domain User". Please make sure, that the password does not have to be changed, and will not expire.
Create keytab-File
This step has to be done by the domain administrator.
Please use the following command to create the keytab-file.
ktpass -princ HTTP/win-tc01.yourdomain@YOURDOMAIN.DE -mapuser custoKerberos@yourdomain -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL -pass tc01pass -out c:\tomcat.keytab
Kerberos
Kerberos lets you automatically login to the custo manager with you windows user if your user has a valid LDAP mapping. To do this you need to configure LDAP first.
...