Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Kerberos principal as the owner of the generated Security token.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Key Tab File

This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the OpenSSO Enterprise instance.

Verify Kerberos Signature

If enabled, this attribute specifies that the Kerberos token is signed.