In the domain controller, create a user account for the Access Manager authentication module.
Associate the user account with a service provider name and export the keytab files to the system in which Access Manager is installed. To do so, run the following commands:
ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname.host.keytab ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname .HTTP.keytab |
The ktpass command accepts the following parameters:
hostname. The host name (without the domain name) on which Access Manager runs.
domainname . The Access Manager domain name.
DCDOMAIN. The domain name of the domain controller. This may be different from the Access Manager domain name.
password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.
userName. The user account ID. This should be the same as hostname.
Make sure that both keytab files are kept secure.
The service template values should be similar to the following example:
Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM
Keytab File Name: /tmp/machine1.HTTP.keytab
Kerberos Realm: ISQA.EXAMPLE.COM
Kerberos Server Name: machine2.EXAMPLE.com
Return Principal with Domain Name: false
Authentication Level: 22
Restart the server.