In the domain controller, create a user account for the OpenSSO Enterprise authentication module.
From the Start menu, go to Programs>Administration Tools.
Select Active Directory Users and Computers.
Go to Computers > New > computer and add the client computer's name.
If you are using Windows XP, this step is performed automatically during the domain controller account configuration.
Go to Users > New > Users and create a new user with the OpenSSO Enterprise host name as the User ID (login name).
The OpenSSO Enterprise host name should not include the domain name.
Associate the user account with a service provider name.
Install the ktpass utilities to the c:\program files\support tools directory.
The ktpass utilities are not installed as part of the Windows 2000 server. You must install it from the installation CD.
Export the keytab files to the system in which OpenSSO Enterprise is installed by running the following commands.
ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname.host.keytab ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname.HTTP.keytab |
The ktpass command accepts the following parameters:
hostname. The host name (without the domain name) on which OpenSSO Enterprise runs.
domainname . The OpenSSO Enterprise domain name.
DCDOMAIN. The domain name of the domain controller. This may be different from the OpenSSO Enterprise domain name.
password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.
userName. The user account ID. This should be the same as hostname.
Make sure that both keytab files are kept secure.
The service template values should be similar to the following example:
Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM
Keytab File Name: /tmp/machine1.HTTP.keytab
Kerberos Realm: ISQA.EXAMPLE.COM
Kerberos Server Name: machine2.EXAMPLE.com
Return Principal with Domain Name: false
Authentication Level: 22
If you are using Windows 2003 or Windows 2003 Service Packs,, use the following ktpass command syntax:
ktpass /out filename /mapuser username /princ HTTP/hostname.domainname /crypto encryptiontype /rndpass /ptype principaltype /target domainname |
For example:
ktpass /out demo.HTTP.keytab /mapuser http /princ HTTP/demo.identity.sun.com@IDENTITY.SUN.COM /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL /target IDENTITY.SUN.COM |
For syntax definitions, see KTPASS Syntax.
Restart the server.