Home

 

Create a service principal name and keytab file

Create a service account in Microsoft Active Directory to support a service principal name (SPN) for IBM Lotus Connections, and then create a keytab file that the Kerberos authentication service can use to establish trust with the Web browser.

Lotus Connections must be configured to use Active Directory as the user See Set up federated repositories for more information. Also, do not perform this procedure until after you have populated the Profiles database. See Populating the Profiles database for more details.

A service principal name (SPN) account uniquely identifies an instance of a service. Before the Kerberos authentication service can use an SPN to authenticate a service, register the SPN on the account object that the service instance uses to log on. You must then create a keytab file. When a Web browser tries to access the service, it must get a ticket from the Active Directory key distribution center to send with the access request. The keytab file is used to decrypt the ticket sent from the Web browser to establish that the application server can trust the browser. A service principal name consists of the following information:

Service type

Specifies the protocol to use, such as HTTP.

Instance

Specifies the name of the server hosting the application. For example: finance1.us.example.com. If you have a network deployment, use the IBM HTTP Server name or the virtual host name through which users access Lotus Connections features. You do not need to specify a port number.

Realm

Specifies the domain name of the server hosting the application. For example: US.EXAMPLE.COM.

and is specified using the following syntax:

service_type/instance@realm

For example:

HTTP/finance1.us.example.com@US.EXAMPLE.COM

To create a service principal name and keytab file...

1. Kerberos requires the clocks of the involved hosts to be synchronized. If the host clock is not synchronized with the Kerberos server clock, authentication will fail. Use the domain controller as the time server and run the Windows schedule task on the Lotus Connections servers to do a time synchronization with the domain controller. For more information about how to use the domain controller as the time server, see http://support.microsoft.com/kb/816042. For more information about running the Windows schedule task, see http://support.microsoft.com/kb/875424 For example, if finance1.us.example.com is the domain controller and the NTP time server, the TimeSyn.bat file would contain the following commands:

   w32tm /config /manualpeerlist:finance1.us.example.com,0x8 /syncfromflags:MANUAL net stop w32time net start w32time w32tm /resync
   

2. Install Windows Support Tools. You must have access to these tools to run the ktpass command later in this procedure.

   Go to the following external Web site for more information: Install Windows Support Tools

3. Log in to the Windows Domain Controller. You must know which server is the domain controller and have an administrative level user name and password.

4. Create a new account for Lotus Connections by accessing the Active Directory Users and Computers settings.

5. In the New Object - User window, type a user name into the User logon name field and specify the domain in the corresponding field. For example, in the User logon name field, you could add

   lcserver01

   and in the domain field, you could enter

   @us.example.com

   Click Next.

6. Type a password for the logon name in the Password field.

7. On the Account page, select the User cannot change password and Password never expires check boxes. By preventing the password from expiring, you avoid having to recreate the keytab file (which you do in the next step) after the password is changed. Click OK to save the new user information.

8. Map the service principal name to the Lotus Connections user account that you created, and then generate a keytab file by running the ktpass command on the domain controller. If you have a network deployment, generate one keytab file using the IBM HTTP Server name or the virtual host name through which users access Lotus Connections features as the instance in the service principal name. Run the ktpass command:

   ktpass –princ <SPN> -out <path_to_keytab>

   -mapuser <account_name> -mapOp set –pass <account_password>

   where you provide values for the following variables:

   <SPN>

   The Kerberos service principal name.

   <path_to_keytab>

   File path to which you want to store the generated keytab file.

   <account_name>

   The service account name.

   <account_password>

   Password associated with the service account.

   For example:

   ktpass -princ HTTP/finance1.us.example.com@US.EXAMPLE.COM -out c:\finance1.keytab 
   -mapuser lcserver01 -mapOp set -pass Passw0rd1
   

9. Create a Kerberos configuration file named krb5.conf for the IBM WebSphere Application Server hosting Lotus Connections. If you have a network deployment, create one configuration file for each node. You do not need to create a configuration file for the deployment manager. To create a Kerberos configuration file...

   1. If Lotus Connections is installed on a different server from the one hosting the domain controller, copy the keytab file to the server on which Lotus Connections is installed.

   2. On the wsadmin command line...

      $AdminTask createKrbConfigFile 
          {    
             -krbPath <appserver>\java\jre\lib\security\krb5.conf 
             -realm <REALM> 
             -kdcHost <kdc_hostname> 
             -dns <dns_hostname> 
             -keytabPath <path_to_keytab>
          }
      

      where you provide values for the following variables:

      <appserver>

      The path to the WebSphere Application Server root Do not specify the path to the Lotus Connections application. The krbPath parameter defines where the resulting krb5.conf configuration file is stored.

      <REALM>

      The Kerberos realm. Specify the realm in all uppercase letters.

      <kdc_hostname>

      The name of the Active Directory key distribution center host. This name is typically the domain controller server.

      <dns_hostname>

      The DNS server name of the domain controller server.

      <path_to_keytab>

      The file path to the in which the keytab file is stored.

      Here is a sample configuration file:

      C:\IBM\WebSphere\AppServer\java\jre\lib\security\krb5.conf
      [libdefaults]
      	default_realm = EXAMPLE.COM
      	default_keytab_name = FILE:C:\finance1.keytab
      	default_tkt_enctypes = des-cbc-md5 rc4-hmac
      	default_tgs_enctypes = des-cbc-md5 rc4-hmac
      	kdc_default_options = 0x54800000
      #	forwardable  = true
      #	proxiable  = true
      #	noaddresses = true
      [realms]
      	IBM.COM = {
      		kdc = finance1.us.example.com:88
      		default_domain = finance1.us.example.com
      	}
      [domain_realm]
      	.finance1.us.example.com = EXAMPLE.COM
      

Enable single sign-on for the Windows desktop

Next topic:

Enable a trust association interceptor for SPNEGO

---

+

Search Tips   |   Advanced Search