3.5. How to Set Up Kerberos Authentication

3.5.1. Whitelist and Blacklist Support

Follow the steps below to configure Kerberos Authentication for your Active Directory.

To get the full functionality offered by Kerberos Authentication, it is necessary to provide the credentials of a user that has 'write' access to Active Directory. This user is used to read users and delete computer entries from the directory.


Kerberos Authentication requires some specific configuration on the Active Directory server and Oracle VDI hosts prior to setting up the user directory in the Oracle VDI Manager.

  1. Kerberos authentication must be enabled in Active Directory.

    It should already be enabled as the default.

  2. Ensure that each Active Directory forest has a global catalog server.

    Configure a domain controller in each forest as a global catalog server.

  3. Set the Forest Functional Level.

    If the Domain Controller is running on Microsoft Windows Server 2008 R2, the Forest Functional Level must be set to Windows Server 2008 or Windows Server 2008 R2 (instead of the value used by default, Windows Server 2003). Refer to Microsoft documentation for more information about the Forest Functional Level.

  4. Synchronize the time between the Oracle VDI hosts and Active Directory server.

    Use Network Time Protocol (NTP) software or the rdate command to ensure the clocks on all hosts are synchronized.

    For example, use ntpdate my.windows.host

    In a production environment, it is best to an NTP time server.

  5. Edit the system default Kerberos configuration file on the Oracle VDI hosts.

    The system default Kerberos configuration file is:

    • /etc/krb5/krb5.conf on Oracle Solaris OS platforms.

    • /etc/krb5.conf on Oracle Linux platforms.


    The capitalization of the realm names in the Kerberos configuration file is very important so make sure you respect the capitalization as indicated in the example.

    At a minimum, the Kerberos configuration file must contain the following sections:

    • [libdefaults] - this sets defaults for Kerberos authentication. You must set the default_realm.

    • [realms] - this sets the KDCs for each Kerberos realm. A realm can have more than one kdc, the port can omitted if the default port 88 is used.

      To allow end-users to update their password (Section 6.2.4, “How to Change a User Password”), the details of the server that handles the password change for each Kerberos realm must be specified. The kpasswd_server and admin_server entries identify the Kerberos administration server that handles the password change. If kpasswd_server is omitted, the admin_server is used instead. The port can be omitted if the default port 464 is used.

      Format of a realm definition:

      REALM_NAME = {
      kdc = host:port
      kdc = host:port
      kpasswd_server = host:port
      admin_server = host:port
      kpasswd_protocol = SET_CHANGE
    • [domain_realm] - this maps Active Directory domains to Kerberos realms.

      The following is an example Kerberos configuration file for a forest with a single domain:

      default_realm = MY.COMPANY.COM
      MY.COMPANY.COM = {
      kdc = my.windows.host
      admin_server = my.windows.host
      kpasswd_protocol = SET_CHANGE
      .my.company.com = MY.COMPANY.COM
      my.company.com = MY.COMPANY.COM
  6. You can check that Kerberos and its name resolution requirements are configured properly by using getent, nslookup, and kinit

    For example:

    • # getent hosts <my.windows.host> must return the IP address and the hostname

    • # getent hosts <IP_of_my.windows.host> must return the IP address and the hostname

    • # nslookup -query=any _gc._tcp.<my.company.com> must resolve the domain

    • # kinit -V <super-user@MY.COMPANY.COM> must succeed

  7. Restart the VDA Service.

    # /opt/SUNWvda/sbin/vda-service restart
  8. Configure the user directory in Oracle VDI Manager.

    1. In Oracle VDI Manager, go to Settings and then Company.

    2. In the Companies table, click New.

      The New Company wizard is displayed.

    3. On the Choose User Directory step, select Active Directory.

    4. On the Specify Connection step, configure Kerberos authentication.

      1. Select Kerberos Authentication.

      2. In the Domain field, enter the Active Directory domain name.

        For example, my.company.com.

      3. In the User Name and Password boxes, enter the user principal name of a user that has sufficient privileges to write to the Active Directory.

        For example, super-user or super-user@my.company.com.

    5. On the Define Company step, enter the company details.

      1. In the Name field, enter the name of the company.

      2. (Optional) In the E-Mail Domain Name field, enter one or more email domain names.

        Enter multiple domain names as a comma-separated list.

        If you enter an email domain, users can log in using their email address.

      3. (Optional) In the Comments field, enter any notes about the company.

    6. On the Review step, check the configuration of the company and click Finish.

      The new company is added to the Companies table.

More Information on Kerberos Authentication

For more information about Kerberos authentication:

3.5.1. Whitelist and Blacklist Support

Oracle VDI supports the Whitelist and Blacklist feature for Kerberos authentication. The feature is an optional set of hostname lists that can be specified for a Company, giving more fine-grained control over which Active Directory servers are queried by Oracle VDI.

The directory whitelist is a list of comma-separated Active Directory global catalog servers that are always used for LDAP queries. The order of the servers in the White List is important. If Oracle VDI cannot contact the first server in the list, it tries the next one. The directory blacklist is a list of comma-separated Active Directory servers that are never used for LDAP queries. The blacklist settings override the whitelist settings.

This feature can be enabled in the CLI only.