Skip to content

Configure Kerberos Authentication Source

To facilitate enterprise user authentication login, the IDaaS platform supports configuring the Kerberos protocol as an authentication source. Users can authenticate and log in to various application systems through the Kerberos protocol, bringing enterprise users a simpler and more convenient login method and better user experience. This feature is currently only supported in 2E scenarios.

This guide explains the related operations for configuring a Kerberos authentication source.

Prerequisites

  • An AD domain server has been created, and the IDaaS public cloud service can access the AD service.
  • Administrator permissions for the IDaaS Enterprise Center.

Procedure

AD Service Configuration

  1. Open Active Directory Users and Computers, create a new user and password under the AD domain User, and set the password to never expire.

    Steps

  2. On the AD server, enter cmd and execute the following command to generate the SPN.

    bash
    setspn -A HTTP/{IDaaS tenant domain} {new AD username}
    bash
    ktpass /out {file output path and file name} /mapuser {AD username created in step 1} /princ HTTPS/{IDaaS tenant domain@AD domain} /pass {password of AD user created in step 1} /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1
    Example: ktpass /out c:\tomcat.keytab /mapuser gltomcat /princ HTTPS/gl1234.bccastle.com@idaas-test.com /pass P@ssw0rd /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1

BambooCloud IDaaS Open Platform