3.5. Setting Up Kerberos Authentication

3.5.1. Whitelist and Blacklist Support

Follow the steps below to configure Kerberos Authentication for your Active Directory.

To get the full functionality offered by Kerberos Authentication, it is necessary to provide the credentials of a user that has 'write' access to Active Directory. This user is used to read users and delete computer entries from the directory.

Kerberos Authentication requires some specific configuration in Active Directory and on your Oracle VDI hosts before configuring the user directory in Oracle VDI Manager.

Steps

  1. Kerberos authentication must be enabled in Active Directory.

    It should already be enabled as the default.

  2. Ensure that each Active Directory forest has a global catalog server.

    Configure a domain controller in each forest as a global catalog server.

  3. Set the Forest Functional Level.

    If the Domain Controller is running on Microsoft Windows Server 2008 R2, the Forest Functional Level must be set to Windows Server 2008 or Windows Server 2008 R2 (instead of the value used by default, Windows Server 2003). Refer to Microsoft documentation for more information about the Forest Functional Level.

  4. Synchronize the time between the Oracle VDI hosts and Active Directory server.

    Use Network Time Protocol (NTP) software or the rdate command to ensure the clocks on all hosts are synchronized.

    For example, use ntpdate my.windows.host

    In a production environment, it is best to use an NTP time server.

  5. Edit the system default Kerberos configuration file on the Oracle VDI hosts.

    The system default Kerberos configuration file is:

    • /etc/krb5/krb5.conf on Oracle Solaris OS platforms.

    • /etc/krb5.conf on Oracle Linux platforms.

    Caution

    The capitalization of the realm names in the Kerberos configuration file is very important so make sure you respect the capitalization as indicated in the example.

    At a minimum, the Kerberos configuration file must contain the following sections:

    • [libdefaults] - this sets defaults for Kerberos authentication. You must set the default_realm.

    • [realms] - this sets the KDCs for each Kerberos realm. A realm can have more than one kdc, the port can omitted if the default port 88 is used.

      To allow end-users to update their password (Section 6.2.3, “User Password Change and Expiry”), the details of the server that handles the password change for each Kerberos realm must be specified. The kpasswd_server and admin_server entries identify the Kerberos administration server that handles the password change. If kpasswd_server is omitted, the admin_server is used instead. The port can be omitted if the default port 464 is used.

      Format of a realm definition:

      REALM_NAME = {
      kdc = host:port
      kdc = host:port
      ...
      kpasswd_server = host:port
      admin_server = host:port
      kpasswd_protocol = SET_CHANGE
      }
      
    • [domain_realm] - this maps Active Directory domains to Kerberos realms.

      The following is an example Kerberos configuration file for a forest with a single domain:

      [libdefaults]
      default_realm = MY.COMPANY.COM
      
      [realms]
      MY.COMPANY.COM = {
      kdc = my.windows.host
      admin_server = my.windows.host
      kpasswd_protocol = SET_CHANGE
      }
      
      [domain_realm]
      .my.company.com = MY.COMPANY.COM
      my.company.com = MY.COMPANY.COM
  6. You can check that Kerberos and its name resolution requirements are configured properly by using getent, nslookup, and kinit

    For example:

    • # getent hosts my.windows.host must return the IP address and the host name

    • # getent hosts IP_of_my.windows.host must return the IP address and the host name

    • # nslookup -query=any _gc._tcp.my.company.com must resolve the domain

    • # kinit -V super-user@MY.COMPANY.COM must succeed

  7. Restart the VDA Service.

    # /opt/SUNWvda/sbin/vda-service restart
  8. Configure the user directory in Oracle VDI Manager.

    1. In Oracle VDI Manager, go to Settings and then Company.

    2. In the Companies table, click New.

      The New Company wizard is displayed.

    3. On the Choose User Directory step, select Active Directory.

    4. On the Specify Connection step, configure Kerberos authentication.

      1. Select Kerberos Authentication.

      2. In the Domain field, enter the Active Directory domain name.

        For example, my.company.com.

      3. In the User Name and Password boxes, enter the user principal name of a user that has sufficient privileges to write to Active Directory.

        For example, super-user or super-user@my.company.com.

    5. On the Define Company step, enter the company details.

      1. In the Name field, enter the name of the company.

      2. (Optional) In the E-Mail Domain Name field, enter one or more email domain names.

        Enter multiple domain names as a comma-separated list.

        If you enter an email domain, users can log in using their email address.

      3. (Optional) In the Comments field, enter any notes about the company.

    6. On the Review step, check the configuration of the company and click Finish.

      The new company is added to the Companies table.

More Information on Kerberos Authentication

3.5.1. Whitelist and Blacklist Support

Oracle VDI supports whitelists and blacklists for Kerberos authentication. The feature is an optional list of hosts that can be specified for a Company, giving more fine-grained control over which Active Directory servers are queried by Oracle VDI.

The whitelist is a comma-separated list of Active Directory global catalog servers (not domain controllers) that are always used for LDAP queries. The order of the servers in the whitelist is important. If Oracle VDI cannot contact the first server in the list, it tries the next one. The hosts in the whitelist must be resolvable in DNS. This includes IP addresses, fully-qualified (long) host names, and unqualified (short) host names.

The blacklist is a list of comma-separated Active Directory servers that are never used for LDAP queries. The blacklist settings override the whitelist settings. The hosts in the blacklist must match the value returned by DNS exactly (the value is case-sensitive). If the Service Location (SRV) locator resource records returned by DNS uses IP addresses, the blacklist must contain IP addresses. If DNS uses host names, the blacklist must contain host names.

This feature can be enabled only on the command line, using the directory.white.list and directory.black.list properties.