In the domain controller, create a user account for the Access Manager authentication module.
From the Start menu, go to Programs>Administration Tools.
Select Active Directory Users and Computers.
Go to Computers>New>computer and add the client computer's name. If you are using Windows XP, this step is performed automatically during the domain controller account configuration.
Go to Users>New>Users and create a new user with the Access Manager host name as the User ID (login name). The Access Manager host name should not include the domain name.
Associate the user account with a service provider name and export the keytab files to the system in which Access Manager is installed. To do so, run the following commands:
ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname.host.keytab ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname.HTTP.keytab |
The ktpass utilities are not installed as part of the Windows 2000 server. You must install it from the installation CD to the c:\program files\support tools directory.
The ktpass command accepts the following parameters:
hostname. The host name (without the domain name) on which Access Manager runs.
domainname . The Access Manager domain name.
DCDOMAIN. The domain name of the domain controller. This may be different from the Access Manager domain name.
password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.
userName. The user account ID. This should be the same as hostname.
Make sure that both keytab files are kept secure.
The service template values should be similar to the following example:
Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM
Keytab File Name: /tmp/machine1.HTTP.keytab
Kerberos Realm: ISQA.EXAMPLE.COM
Kerberos Server Name: machine2.EXAMPLE.com
Return Principal with Domain Name: false
Authentication Level: 22
If you are using Windows 2003 or Windows 2003 Service Packs,, use the following ktpass command syntax:
ktpass /out filename /mapuser username /princ HTTP/hostname.domainname /crypto encryptiontype /rndpass /ptype principaltype /target domainname |
For example:
ktpass /out demo.HTTP.keytab /mapuser http /princ HTTP/demo.identity.sun.com@IDENTITY.SUN.COM /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL /target IDENTITY.SUN.COM |
For syntax definitions, see http://technet2.microsoft.com/WindowsServer/en/library/64042138-9a5a-4981-84e9-d576a8db0d051033.mspx?mfr=true web site.
Restart the server.