Versions Compared

Old Version 13

changes.mady.by.user user-78f34

Saved on

compared with

New Version 14

changes.mady.by.user user-78f34

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Kerberos is a method that let you identify to other services with your windows logon. Having configured LDAP and Kerberos you can achieve Single Sign On which means, that custo diagnostic will automatically use the user that is logged on to Windows for authentication and the user does not need to enter any passwords.

Kerberos lets you automatically login to the custo manager with you windows user if your user has a valid LDAP mapping. To do this you need to configure LDAP first.

It involves configuring Tomcat (the application server that hosts the custo diagnostic server), so we use Tomcat as a synonym for custo diagnostic server at this place. Most of this manual is copied from https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html


Steps to configure the Kerberos System:

...

E.g. In our Example we used the following names:


Example used
WindowsWINS-DomainYOURDOMAINXY-HOSPITAL
DNS Domainyourdomainxy-hospital.dexy
Kerberos User:

custoKerberos

PW secretPW!

Servernametstsrv01-2016
Domain Controllertstdc01


General Information

Kerberos (the basis for integrated Windows authentication) requires careful configuration. If the steps in this guide are followed exactly, then a working configuration will result. It is important that the steps below are followed exactly. There is very little scope for flexibility in the configuration. From the testing to date it is known that:

  • The host name used to access the Tomcat server must match the host name in the SPN exactly else authentication will fail. A checksum error may be reported in the debug logs in this case.
  • The SPN must be HTTP/<hostname> and it must be exactly the same in all the places it is used.
  • The port number must not be included in the SPN.
  • No more than one SPN may be mapped to a domain user.


Create Domain User for Apache Tomcat

...

This step has to be done by the domain administrator.

Watch out:  Some entries are CASE SENSITIVE! 

Please use the following command to create the keytab-file. 

ktpass -princ HTTP/tstsrv01tst2srv01-2016.yourdomain.de@YOURDOMAIN.DE
       xy-hospital.xy@XY-HOSPITAL.XY 
-mapuser custoKerberos@yourdomaincustoKerberos@xy-hospital.dexy 
-crypto rc4-hmac-nt
       -ptype KRB5_NT_PRINCIPAL 
-pass secretPW!
       custo -out "C:\Program Files\custo diagnostic server\conf\tomcat.keytab"

This command:

  • links the service principal name "HTTP/tst2srv01-2016.xy-hospital.xy@XY-HOSPITAL.XY"   to your custoKerberos-User (and defines the authentication/crypto way)
  • stores the private key in tomcat.keytab file

This file contains the Tomcat private key for the service provider. To generate the file, run the following command as a domain administrator (all on a single line). You can do this step on the server where tomcat runs on.

...

Watch out:  Some entries are CASE SENSITIVE!  Some Path-Names need forward-slashes!

We attached the file to download it for you. Please do not use copy/paste from the code below - use the files attached to this website.

Replace / Edit krb5.ini and jaas.conf file, located in your ...\custo diagnostic server\conf Directory

...

Code Block
[libdefaults]
  debug = true
  default_realm = YOURDOMAINXY-HOSPITAL.DEXY
  dns_lookup_kdc = false
  default_keytab_name = FILE:C:\Program Files\custo diagnostic server\conf\tomcat.keytab
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
 

[realms]
  YOURDOMAINXY-HOSPITAL.DEXY = {
    #
    # Specify your Domain Controller here
    kdc = tstdc01tst2dc01.yourdomainxy-hospital.dexy
    admin_server = tstdc01tst2dc01.yourdomainxy-hospital.dexy
    default_domain = yourdomainxy-hospital.dexy
} 



[domain_realm]

.yourdomainxy-hospital.dexy = YOURDOMAIN.DEXY-HOSPITAL.XY

 

[login]
krb4_convert = true
krb4_get_tickets = false


jaas.conf

We attached the file to download it for you. Please do not use copy/paste from the code below - use the files attached to this website.

Code Block
# Attention!
# principal Name must be IDENTICAL (case sensitive) to the principal Name used with ktpass
# Be aware of forward slahes in file Name
# 2020-02-04, FHo

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/tst2srv01-2016.yourdomain.de@YOURDOMAIN.DExy-hospital.xy@XY-HOSPITAL.XY"
    useKeyTab=true
    keyTab="C:/Program Files/custo diagnostic server/conf/tomcat.keytab"
    storeKey=true;
};

 

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/tst2srv01-2016.yourdomain.de@YOURDOMAIN.DExy-hospital.xy@XY-HOSPITAL.XY"
    useKeyTab=true
    keyTab="C:/Program Files/custo diagnostic server/conf/tomcat.keytab"
    storeKey=true;
};

Kerberos

Kerberos lets you automatically login to the custo manager with you windows user if your user has a valid LDAP mapping. To do this you need to configure LDAP first.

...


Kerberos
...
  • The domain name (DEV.LOCAL) is not case sensitive when used in the ktpass command, nor when used in jaas.conf
  • The domain must be specified when using the ktpass command
...