Sun Java System Access Manager 7.1 Administration Guide

ProcedureTo Create a User in the Windows 2000 Domain Controller

  1. In the domain controller, create a user account for the Access Manager authentication module.

    1. From the Start menu, go to Programs>Administration Tools.

    2. Select Active Directory Users and Computers.

    3. Go to Computers>New>computer and add the client computer's name. If you are using Windows XP, this step is performed automatically during the domain controller account configuration.

    4. Go to Users>New>Users and create a new user with the Access Manager host name as the User ID (login name). The Access Manager host name should not include the domain name.

  2. Associate the user account with a service provider name and export the keytab files to the system in which Access Manager is installed. To do so, run the following commands:


    ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out 
    hostname.host.keytab
    ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass 
    password -mapuser userName-out hostname.HTTP.keytab

    Note –

    The ktpass utilities are not installed as part of the Windows 2000 server. You must install it from the installation CD to the c:\program files\support tools directory.


    The ktpass command accepts the following parameters:

    hostname. The host name (without the domain name) on which Access Manager runs.

    domainname . The Access Manager domain name.

    DCDOMAIN. The domain name of the domain controller. This may be different from the Access Manager domain name.

    password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.

    userName. The user account ID. This should be the same as hostname.


    Note –

    Make sure that both keytab files are kept secure.


    The service template values should be similar to the following example:

    Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM

    Keytab File Name: /tmp/machine1.HTTP.keytab

    Kerberos Realm: ISQA.EXAMPLE.COM

    Kerberos Server Name: machine2.EXAMPLE.com

    Return Principal with Domain Name: false

    Authentication Level: 22


    Note –

    If you are using Windows 2003 or Windows 2003 Service Packs,, use the following ktpass command syntax:


    ktpass /out filename /mapuser username /princ HTTP/hostname.domainname 
         /crypto encryptiontype /rndpass /ptype principaltype /target domainname
    

    For example:


    ktpass /out demo.HTTP.keytab /mapuser http 
    /princ HTTP/demo.identity.sun.com@IDENTITY.SUN.COM /crypto RC4-HMAC-NT 
    /rndpass /ptype KRB5_NT_PRINCIPAL /target IDENTITY.SUN.COM

    For syntax definitions, see http://technet2.microsoft.com/WindowsServer/en/library/64042138-9a5a-4981-84e9-d576a8db0d051033.mspx?mfr=true web site.


  3. Restart the server.