test

Sun OpenSSO Enterprise 8.0 Administration Guide

ProcedureTo Create a User in the Windows Domain Controller

  1. In the domain controller, create a user account for the OpenSSO Enterprise authentication module.

    1. From the Start menu, go to Programs>Administration Tools.

    2. Select Active Directory Users and Computers.

    3. Go to Computers > New > computer and add the client computer's name.

      If you are using Windows XP, this step is performed automatically during the domain controller account configuration.

    4. Go to Users > New > Users and create a new user with the OpenSSO Enterprise host name as the User ID (login name).

      The OpenSSO Enterprise host name should not include the domain name.

  2. Associate the user account with a service provider name.

  3. Install the ktpass utilities to the c:\program files\support tools directory.

    The ktpass utilities are not installed as part of the Windows 2000 server. You must install it from the installation CD.

  4. Export the keytab files to the system in which OpenSSO Enterprise is installed by running the following commands.


    ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out 
hostname.host.keytab
ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass 
password -mapuser userName-out hostname.HTTP.keytab

    The ktpass command accepts the following parameters:

    hostname. The host name (without the domain name) on which OpenSSO Enterprise runs.

    domainname . The OpenSSO Enterprise domain name.

    DCDOMAIN. The domain name of the domain controller. This may be different from the OpenSSO Enterprise domain name.

    password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.

    userName. The user account ID. This should be the same as hostname.

    Note –

    Make sure that both keytab files are kept secure.

    The service template values should be similar to the following example:

    Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM

    Keytab File Name: /tmp/machine1.HTTP.keytab

    Kerberos Realm: ISQA.EXAMPLE.COM

    Kerberos Server Name: machine2.EXAMPLE.com

    Return Principal with Domain Name: false

    Authentication Level: 22

    Note –

    If you are using Windows 2003 or Windows 2003 Service Packs,, use the following ktpass command syntax:


    ktpass /out filename /mapuser username /princ HTTP/hostname.domainname 
     /crypto encryptiontype /rndpass /ptype principaltype /target domainname

    For example:


    ktpass /out demo.HTTP.keytab /mapuser http 
/princ HTTP/demo.identity.sun.com@IDENTITY.SUN.COM /crypto RC4-HMAC-NT 
/rndpass /ptype KRB5_NT_PRINCIPAL /target IDENTITY.SUN.COM

    For syntax definitions, see KTPASS Syntax.

  5. Restart the server.