Tip:
Highlight text to annotate it
X
This video
is going to explain how to configure Atrium SSO to leverage
Kerberos.
My name is John Stamps from the BMC Documentation team
In the next few slides
we are going to see how to integrate Atrium SSO with
Kerberos authentication.
So what is the advantage of
Kerberos authentication?
Most corporations have
their corporate domains
and users would log into the domains.
So the Kerberos integration
gives them a seamless access
to AR System applications without entering
any user ID and password.
So once you log into the computer
into the corporate domain,
then they can access the Remedy application without entering a user ID and password.
But what does Kerberos authentication consist of?
There are four simple steps that are needed:
Number one,
create
a user account in the Active
Directory domain
for Atrium SSO.
Number two
generate a keytab file.
Number three
define a
Kerberos module image in Atrium SSO.
and number four, make some changes on the user browser sessions.
let's go ahead one-by-one
and see how we would do this.
so in step one what we do
is basically we log into the
Active Directory domain server
and then create
an account
for the Atrium SSO service.
so in this example
we use the computer name
as the login name
so in this dialog box enter the details here and make sure the user login name
follows this syntax:
H T T P
/ (slash)
the name is whatever you choose as the domain name
then enter the password
for that user
and make sure that you check those boxes Password never expires
and User cannot change password
and then, in the next box, click Finish.
This basically
creates a user account for the Atrium SSO server.
so this is the first step in setting up Kerberos.
once you've done this
step two is creating the keytab
file which will be used in
Atrium SSO Kerberos
module definition
So in the keytab what we're using here are
two of the parameters that we created earlier
mapuser
that is the SSO server user name that you created in Active Directory
and what is the principal name which is the logon name
And enter your password
and the rest of the data will be the same
and the target
is your domain name
and make sure that you enter a complete domain name
in the user principle mapping
after this
you hit Enter. That will create
the keytab file in the folder you specified
and then the next step
is copy
the keytab file into the agent
SSO server machine.
so you're halfway through
the Kerberos integration basically.
Step three is defining the
Kerberos module in the Atrium SSO server.
so access the Atrium SSO admin console by using the
administrator user ID and password
once you log in, you'll get to this screen
where you can see all this important information
like agent,
the load balancer information
and on this screen click the Edit
BMC Realm
button on the left hand side
then that will bring us up to this particular screen
There is one important thing to remember
the user profile is you have to make it Dynamic
what this means is whenever the user doesn't exist in Atrium SSO
it's going to create that user on the fly
so Kerberos is not going to check for the existence of the user
so click on
the Kerberos button
from the drop-down
then you'll get to this screen where you enter
all your Service Principal name
which is nothing but the user login name that we specified while creating the Active
Directory user
and the keytab file
is the one
that we copied from the Active Directory machine. And the Kerberos Realm
is nothing but your domain name
and the KDC
Server Name
is your Active
Directory
Server name.
So once you
specify these parameters and when you hit Save
the system does the validation.
that means it will check whether the service
principal name you entered
is matching with the keytab file or not
if it does match, then it will save the definition.
otherwise,
it will return an error message
so once you save it, this is all it will look like.
Like you already have a Kerberos module.
and we are saying that it is a required
authentication module. That means every user
has to satisfy
this requirement
If they don't
that cannot access the
AR
application
The final step
is user
browser configuration
Now for this testing
we're using a test account called SSO Test
to log into the domain
and once you log into the domain
you have to make some changes to your internet explorer. So basically open
internet explorer
click on the Options
click on the Security tab
and select local intranet
and click on the Advanced button.
and there you'll see that
you add that SSO Server Name
into the website
Now this is the first step of
browser configuration
The second configuration we need to make
is click on the custom level
at the local intranet
and in the security
settings window
you select
that automatic logon only in intranet zone
these are the two major configuration settings you need to do on every user
browser.
Your corporation or your company might have an IT policy where they can push
the changes
across all the users
so you may want to check with your IT department to push these changes
so that every is user is automatically configured
for Kerberos authentication.
once you've done this
open the browser
enter the URL
this is basically the Mid Tier server name
with the port number
if you don't have a port number, you don't have to enter it
to access the application
and once you do that
the next screen will show you that
it's getting loaded automatically without any challenge mechanism
this means that
we've done the Kerberos authentication seamlessly
then the SSO server verified that your ticket is valid
and you are allowed to access the application.
Based upon your permissions defined in the AR System, you'll get access to all the applications
that you are eligible to run.
now on our system here
I have only a basic
installation so I see only a few products here.
right now
we're going to
access
the class manager
just to show you that you can access the application based upon your permissions.
so this is it.
These
four simple steps
will allow you to seamlessly log into log into SSO
and access the applications
that is, the Remedy applications directly.
Now as you see in this slide demonstration the Kerberos definition and integration is not
much of a huge task from the Atrium SSO point of view.
but most of the issues you might see
where the Kerberos
is generated with a different authentication
well a different
encryption basically and Java cannot handle it
so most of the issues are between the Kerberos system
and the Windows security policies
and also the way the internet explorer does the
NTLM work of Kerberos authentication.
Eighty percent of the time the Kerberos definitions will work as is
but sometimes you may run into some issues which are
specific to your environment
so in those cases
contact BMC Support
and we will be glad to help you.
Thank you for watching this video!