search cancel

Kerberos Authentication for a cluster


Article ID: 197435


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


With Kerberos Authentication, when one SiteMinder server is used, the smpsServicePrincipal in the ACO and SMPS Principal Name in the Kerberos authentication schema should be smps/<policy server name>@<DOMAIN NAME>.  What is the value for those two parameters when there are two or more SiteMinder servers in a cluster? 


Need to configure multiple Policy Servers to handle the Kerberos Authentication with the KDC. How are the additional Policy Servers added into the configuration?


Release :

Component : SITEMINDER -SiteMinder Policy Server


Tech Tip: CA Single Sign-On :: High Availability for Kerberos Authentication

Follow the below steps to configure Kerberos for high availability of policy server. (

  1. Create service account in the KDC for Policy server
  2. Run ktpass for (NOTE FQND must be resolvable in dns forward/reverse)


C:\scripts>ktpass -out policyserver-smps.keytab -princ smps/ @MYSITE.COM -ptype KRB5_NT_PRINCIPAL -mapuser [email protected] -pass firewall -mapOp set crypto all


  1. Copy/move the keytab file policyserver-smps.keytab to proper location on the policy server /etc (Linux) or c:\windows
  2. Configure Kerberos authentication scheme for ps1. (NOTE used relative target)
  3. Update Kerberos configuration file (krb5.ini or krb5.conf) on policy server PS1 - need to point to the new keytab file OR policy server key entries written to the existing keytab file using ktutil
  4. Copy the same keytab file to the second policy server (
  5. Update Kerberos configuration file (krb5.ini or krb5.conf) on policy server PS2 same as PS1 file
  6. Host configuration Object should point to both policy servers


Both Policy server machines will be using same keytab file. The service principal name does not need to be resolved to all the policy server's. The service name should be of one in the group of policy server's that are configured.

On Webserver side, use relative URI – as long as each one is defined it will work similar as forms authentication for high availability setup whether we

are using Kerberos or any other authentication.  If you are using a load balancer to access website the FQDN for LB should be used for service principal name in keytab files

ALL policy server should use the same keytab file/entry 
WEBSERVER: httpserviceprincipal=’HTTP/[email protected]
Policy Server: smpsserviceprincipal='[email protected]
Auth scheme

Additional Information

SYMANTEC SITEMINDER - 12.8 - Configure Kerberos Authentication

SYMANTEC SITEMINDER - 12.8 - Policy Server Configuration for Kerberos Authentication

SYMANTEC SITEMINDER - 12.8 - Configure a Kerberos Configuration File