Kerberos Authentication for a cluster

book

Article ID: 197435

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

With Kerberos Authentication, when one SiteMinder server is used, the smpsServicePrincipal in the ACO and SMPS Principal Name in the Kerberos authentication schema should be smps/<policy server name>@<DOMAIN NAME>.  What is the value for those two parameters when there are two or more SiteMinder servers in a cluster? 

Cause

Need to configure multiple Policy Servers to handle the Kerberos Authentication with the KDC. How are the additional Policy Servers added into the configuration?

Environment

Release : 12.8.0.3

Component : SITEMINDER -SiteMinder Policy Server

Resolution

Tech Tip: CA Single Sign-On :: High Availability for Kerberos Authentication

Follow the below steps to configure Kerberos for high availability of policy server. (ps1.mysite.com ps2.mysite.com)

  1. Create service account in the KDC for Policy server
  2. Run ktpass for ps1.mysite.com (NOTE FQND must be resolvable in dns forward/reverse)

 

C:\scripts>ktpass -out policyserver-smps.keytab -princ smps/ ps1.mysite.com @MYSITE.COM -ptype KRB5_NT_PRINCIPAL -mapuser [email protected] -pass firewall -mapOp set crypto all

 

  1. Copy/move the keytab file policyserver-smps.keytab to proper location on the policy server /etc (Linux) or c:\windows
  2. Configure Kerberos authentication scheme for ps1. (NOTE used relative target)
  3. Update Kerberos configuration file (krb5.ini or krb5.conf) on policy server PS1 - need to point to the new keytab file OR policy server key entries written to the existing keytab file using ktutil
  4. Copy the same keytab file to the second policy server (ps2.mysite.com)
  5. Update Kerberos configuration file (krb5.ini or krb5.conf) on policy server PS2 same as PS1 file
  6. Host configuration Object should point to both policy servers

 

Both Policy server machines will be using same keytab file. The service principal name does not need to be resolved to all the policy server's. The service name should be of one in the group of policy server's that are configured.

On Webserver side, use relative URI – as long as each one is defined it will work similar as forms authentication for high availability setup whether we

are using Kerberos or any other authentication.  If you are using a load balancer to access website the FQDN for LB should be used for service principal name in keytab files

Clarification:
ALL policy server should use the same keytab file/entry 
WEBSERVER: httpserviceprincipal=’HTTP/[email protected]
Policy Server: smpsserviceprincipal='[email protected]
Auth scheme


Additional Information

SYMANTEC SITEMINDER - 12.8 - Configure Kerberos Authentication
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication.html

SYMANTEC SITEMINDER - 12.8 - Policy Server Configuration for Kerberos Authentication
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/policy-server-configuration-for-kerberos-authentication.html

SYMANTEC SITEMINDER - 12.8 - Configure a Kerberos Configuration File
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/configure-a-kerberos-configuration-file.html