AnsweredAssumed Answered

Kerberos Authentication

Question asked by DanishA on May 3, 2017
Latest reply on May 8, 2017 by Vikram.Mullachery.2640902

Hi,

Configure Kerberos Authentication

 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication

 

Use Case :

 

Implement windows authentication with Siteminder.

Customer has multiple forests and multiple domains.

Assume that forest level and domain level trust does not exist.

 

In this case, to achieve Kerberos authentication we think we have to use multiple KDC configurations in the Authentication Scheme. The documentation indicates that we can add multiple Kerberos realm and domain mapping. The documentation also indicates that we need to create two service accounts one of policy server and one for webagent. We need to create keytab file for each service account.

 

Questions?

 

Do we need service id for each KDC?

How to we use multiple service id in the Kerberos configuration?

Does policy server/webagent uses the keytab file to communicate to the KDC server?

How do we configure multiple keytab file in the Kerberos configuration?

For Kerberos Authentication to work, do we need Active Directory as User directory?

Can we use Kerberos for authentication and use Oracle LDAP directory as user directory for authorization?

Outcomes