With Kerberos Authentication, when one SiteMinder server is used, the smpsServicePrincipal in the ACO and SMPS Principal Name in the Kerberos authentication schema should be smps/<policy server name>@<DOMAIN NAME>. What is the value for those two parameters when there are two or more SiteMinder servers in a cluster?
Need to configure multiple Policy Servers to handle the Kerberos Authentication with the KDC. How are the additional Policy Servers added into the configuration?
Release : 12.8.0.3
Component : SITEMINDER -SiteMinder Policy Server
Tech Tip: CA Single Sign-On :: High Availability for Kerberos Authentication
Follow the below steps to configure Kerberos for high availability of policy server. (ps1.mysite.com ps2.mysite.com)
C:\scripts>ktpass -out policyserver-smps.keytab -princ smps/ ps1.mysite.com @MYSITE.COM -ptype KRB5_NT_PRINCIPAL -mapuser [email protected] -pass firewall -mapOp set crypto all
Both Policy server machines will be using same keytab file. The service principal name does not need to be resolved to all the policy server's. The service name should be of one in the group of policy server's that are configured.
On Webserver side, use relative URI – as long as each one is defined it will work similar as forms authentication for high availability setup whether we
are using Kerberos or any other authentication. If you are using a load balancer to access website the FQDN for LB should be used for service principal name in keytab files
Clarification:
ALL policy server should use the same keytab file/entry
WEBSERVER: httpserviceprincipal=’HTTP/[email protected]’
Policy Server: smpsserviceprincipal='[email protected]’
Auth scheme
SYMANTEC SITEMINDER - 12.8 - Configure Kerberos Authentication
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication.html
SYMANTEC SITEMINDER - 12.8 - Policy Server Configuration for Kerberos Authentication
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/policy-server-configuration-for-kerberos-authentication.html
SYMANTEC SITEMINDER - 12.8 - Configure a Kerberos Configuration File
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/configure-a-kerberos-configuration-file.html