Beruflich Dokumente
Kultur Dokumente
KDCCONFIGURATION
TheKerberosauthenticationprocessusesaKeyDistributionCenter(KDC)toauthenticateaclientandtoissuethe
KerberosClient/ServerSessionTicket.TheconfigurationstepsarespecifictotheKDCthatyouuse.Formore
information,seethedocumentationprovidedbyyourKDCvendor.However,ingeneralyouneedtoconfigureaservice
user.
Procedure
1.
2.
CreateaserviceusertoidentifytheASJavainstanceontheKDC.Chooseanamingconventiontohelpyou
identifysuchuserswiththeircorrespondingASJavainstances.Forexample,youcannametheuserj2ee<SID>-<host>(where <SID>isthesystemIDoftheinstanceand <host>isthehostwhereitisrunning).
TheserviceuserrepresentsanASJavainstancerunningonaspecifichostandmustmeetthefollowing
requirements:
a.
Thepasswordoftheserviceusermustneverexpire
b.
DisableDataEncryptionStandard(DES)supportforthisaccountbyensuringthattheUseDES
encryptioncheckisnotselectedontheuseraccount
RegisteraServicePrincipalName(SPN)forthefullyqualifiedhostnameandeachoftheDNSaliasesthat
youusetoaccesstheASJavaengine
Whenusingareverseproxyoranapplication-levelgatewaytoaccesstheASJava,addanSPNfor
thephysicalhostnameandeachDNSaliasofthereverseproxyorapplication-levelgateway.For
thisscenario,theWebclientprocuresaKerberosticketfromtheKDCforthereverseproxyor
application-levelgatewayhostandnotfortheASJavahost
Example
ThefollowingexampleshowstheconfigurationstepswhentheKDCisaMicrosoftWindows2000Domain
Controller(DC)thatusesanActiveDirectoryServer(ADS)forauserstore.
Assumptions
TheWindowsdomainnameis IT.CUSTOMER.DE
Thefullyqualifieddomainname(FQDN)oftheASJavaenginehostis hades.customer.de
TheASJavaenginehasanadditionalalias su3x24.customer.de
TheASJavaengineinstanceis D21
ConfigurationstepsontheADS
1.
2.
3.
4.
Createaserviceusernamedj2ee-d21-hades
SelectthePasswordneverexpirescheckontheusersaccount
MakesuretheUseDESencryptioncheckontheusersaccountisnotselected
Fromthecommandline,executethefollowingcommandsinordertoregisterServicePrincipalNames(SPNs)
fortheASJavaenginehostnameandaliastotheserviceuserj2ee-d21-hades
setspnaHTTP/hades.customer.dej2ee-d21-hades
setspnaHTTP/su3x24.customer.dej2ee-d21-hades
DoingsoregistersboththehostnameandthealiasasSPNsoftheserviceuserintheADS
5. Inordertochecktheconfiguration,executethefollowingcommandfromthecommandlineforeverySPN
thatyouregistered
ldifderserviceprincipalname=HTTP/hades.customer.defout.txt
ldifderserviceprincipalname=HTTP/su3x24.customer.defout2.txt
2011/SA P A G
ExecutethecommandforeverysingleSPNyouregisteredtotheserviceuserandcheckthegeneratedfiles.
Theoutputofeachinvocationmustbeonlyoneentrytheserviceusercreatedearlier,intheexample j2eed21-hades.Inotherwords,allSPNsmustbeunique
2011/SA P A G