4.5. How to Set Up Kerberos Authentication

4.5.1. Whitelist and Blacklist Support

Follow the steps below to configure Kerberos Authentication for your Active Directory.

To get the full functionality offered by Kerberos Authentication, it is necessary to provide the credentials of a user that has 'write' access to Active Directory. This user is used to read users and delete computer entries from the directory.

Steps

Kerberos Authentication requires some specific configuration on the Active Directory server and Oracle VDI hosts prior to setting up the user directory in the Oracle VDI Manager.

  1. Kerberos authentication must be enabled in Active Directory.

    It should already be enabled as the default.

  2. Ensure that each Active Directory forest has a global catalog server.

    Configure a domain controller in each forest as a global catalog server.

  3. Set the Forest Functional Level.

    If the Domain Controller is running on Microsoft Windows Server 2008 R2, the Forest Functional Level must be set to Windows Server 2008 or Windows Server 2008 R2 (instead of the value used by default, Windows Server 2003). Refer to Microsoft documentation for more information about the Forest Functional Level.

  4. Synchronize the time between the Oracle VDI hosts and Active Directory server.

    Use Network Time Protocol (NTP) software or the rdate command to ensure the clocks on all hosts are synchronized.

    For example, use ntpdate my.windows.host

    In a production environment, it is best to an NTP time server.

  5. Edit the system default Kerberos configuration file on the Oracle VDI hosts.

    The system default Kerberos configuration file is:

    • /etc/krb5/krb5.conf on Oracle Solaris OS platforms.

    • /etc/krb5.conf on Oracle Linux platforms.

    Caution

    The capitalization of the realm names in the Kerberos configuration file is very important so make sure you respect the capitalization as indicated in the example.

    At a minimum, the Kerberos configuration file must contain the following sections:

    • [libdefaults] - this sets defaults for Kerberos authentication. You must set the default_realm.

    • [realms] - this sets the KDCs for each Kerberos realm. A realm can have more than one kdc, the port can omitted if the default port 88 is used.

      To allow end-users to update their password (Section 7.2.6, “How to Change User Password”), the details of the server that handles the password change for each Kerberos realm must be specified. The kpasswd_server and admin_server entries identify the Kerberos administration server that handles the password change. If kpasswd_server is omitted, the admin_server is used instead. The port can be omitted if the default port 464 is used.

      Format of a realm definition:

      REALM_NAME = {
      kdc = host:port
      kdc = host:port
      ...
      kpasswd_server = host:port
      admin_server = host:port
      kpasswd_protocol = SET_CHANGE
      }
      
    • [domain_realm] - this maps Active Directory domains to Kerberos realms.

      The following is an example Kerberos configuration file for a forest with a single domain:

      [libdefaults]
      default_realm = MY.COMPANY.COM
      
      [realms]
      MY.COMPANY.COM = {
      kdc = my.windows.host
      admin_server = my.windows.host
      kpasswd_protocol = SET_CHANGE
      }
      
      [domain_realm]
      .my.company.com = MY.COMPANY.COM
      my.company.com = MY.COMPANY.COM
  6. You can check that Kerberos and its name resolution requirements are configured properly by using getent, nslookup, and kinit

    For example:

    • # getent hosts <my.windows.host> must return the IP address and the hostname

    • # getent hosts <IP_of_my.windows.host> must return the IP address and the hostname

    • # nslookup -query=any _gc._tcp.<my.company.com> must resolve the domain

    • # kinit -V <super-user@MY.COMPANY.COM> must succeed

  7. Restart the VDA Service.

    # /opt/SUNWvda/sbin/vda-service restart
  8. Configure the user directory in Oracle VDI Manager.

    1. In the Oracle VDI Manager, go to SettingsCompany.

    2. In the Companies table, click New to activate the New Company wizard.

    3. Select Active Directory Type, and click Next.

    4. Select Kerberos Authentication.

    5. Enter the domain for the Active Directory.

      For example, my.company.com.

    6. Enter the user principal name of a user that has sufficient privileges to write into the Active Directory.

      For example, super-user or super-user@my.company.com.

    7. Enter the password for that user.

    8. Click Next to review your choices before completing the configuration.

More Information on Kerberos Authentication

For more information about Kerberos authentication:

4.5.1. Whitelist and Blacklist Support

Oracle VDI supports the Whitelist and Blacklist feature for Kerberos authentication. The feature is an optional set of hostname lists that can be specified for a Company, giving more fine-grained control over which Active Directory servers are queried by Oracle VDI.

The directory whitelist is a list of comma-separated Active Directory global catalog servers that are always used for LDAP queries. The order of the servers in the White List is important. If Oracle VDI cannot contact the first server in the list, it tries the next one. The directory blacklist is a list of comma-separated Active Directory servers that are never used for LDAP queries. The blacklist settings override the whitelist settings.

This feature can be enabled in the CLI only.