Symantec Access Management

  • 1.  Setting up Kerberos Authentication

    Posted Oct 02, 2017 05:57 PM

    Siteminder :12.7
    Platform :Linux
    Webagent 12.52 SP1 CR7

     

     

    Looking for some guidance in setting up SPN (principal names), Keytabfile and KDC values.



  • 2.  Re: Setting up Kerberos Authentication
    Best Answer

    Posted Oct 02, 2017 07:31 PM

    Kerberos authentication fail after exceeding ticket_lifetime value. 

    An issue is found on R12.7 base Policy Server where the policy server service account's kerberos ticket do not get renewed.

     

    But you should still be able to test the functionality.

     

    Do you have experience setting up kerberos authentication on Windows environment?

    I would recommend doing that first before jumping onto Linux environment.



  • 3.  Re: Setting up Kerberos Authentication

    Posted Oct 03, 2017 10:11 AM

    Thank you Sung in providing the information, Nope we only have Linux environment setup. what is the difference in setting up in Linux env and Windows env ?



  • 4.  Re: Setting up Kerberos Authentication

    Posted Oct 05, 2017 12:59 PM

    CA  SSO configurations are pretty much the same irrespective of windows OR linux. But CA SSO configuration accounts for only 25% of the E2E Kerberos configuration. 75% of the configuration is outside CA SSO e.g. things like browser (IE vs Chrome vs FireFox vs cURL) settings for Kerberos, Hostname Resolution between servers, Keytab file version numbers, encryption handshake algorithms, Kerberos environment variable, Kerberos configuration files. Thus Kerberos is not about reading CA SSO documentation ONLY, but it is also about knowing what goes on outside SiteMinder.

     

    Many a times we do get the comment that we have configured everything as per CA SSO documentation, but yet Kerberos is not working. Almost most of the time the issue is outside CA SSO Configuration (i.e. in the 75% configuration space e.g. things like browser (IE vs Chrome vs FireFox vs cURL) settings for Kerberos, Hostname Resolution between servers, Keytab file version numbers, encryption handshake algorithms, Kerberos environment variable, Kerberos configuration files).

     

    what differs is the complexity outside siteminder? an e.g. In windows you can just added servers to the AD domains (which is also acting as KDC). In linux you have manually configure at OS level to resolve correctly & interwork with the AD domain.

     

    Hope the thought process helps!