Kerberos prerequisites

In AX-3.8, one of the new features introduced with the LdapV3ADUserService and LdapV3UserService is the ability to use Kerberos authentication for an LDAP user to log into a station. Kerberos is a widely-used authentication protocol, and helps keep your credentials and station safe. It allows for a “single sign on” (SSO) environment, such that your initial sign-on to your local machine results in a “ticket” automatically used to access other system resources, without need for further sign on (supplying credentials).

Single sign-on Kerberos access is available to a station running on a Windows-based host, but user credentials are still required when accessing any Kerberos-configured station running on a (QNX-based) “Hotspot” JACE host when using a browser. For more details, see Browser access via Kerberos. In addition, note that older JACE platforms using the “J9 Java VM” (JACE-2/4/5 series) do not support Kerberos authentication. You must configure their station to authenticate directly to the LDAP server or Active Directory server, using the “SimpleAuthenticator” component.

Kerberos uses a slightly different setup than other LDAPv3 features, and it is more complicated to configure.

In order to prepare for Kerberos authentication, follow this high-level process:

Contact your Kerberos administrator and get the following information:
- Kerberos realm name (should be in UPPERCASE).
- Key Distribution Center URL.
- Ask your administrator to set up a service name for your station. This should be in the form:
  
  http/somename.domain.com
  
  where domain.com is your realm, and somename is the name by which you will access your station via the browser.
  
  This account must be trusted for delegation (the admin can set this up). If you are not planning for Kerberos authentication via the browser, you can use a regular username (not a service).
- Get either a keytab file or else a password for the service or user obtained above. Services typically require a keytab file, whereas users typically use a password.
Related details are in the Configuring the Kerberos Authenticator component.
Set up your PC for Kerberos authentication. See the Additional Kerberos client-side setup section for more details.
- If you plan on logging in through Workbench, set up your krb5.conf file to include the line “forwardable=true”.
- If you are using Windows and would like to use your native Kerberos ticket, set your Windows registry AllowTgtSessionKey value to 1.
- If you will be logging in to Kerberos using a browser, set up your browser(s) for Kerberos authentication. See the “Kerberos via the browser” appendix for more details on configuring different browsers.
Set up your station to use Kerberos.
- Note separately mentioned station prerequisites. See Station prerequisites.
- Replace the standard UserService with the LdapV3ADUserService or LdapV3UserService. See Add and configure the LDAP user service and Configure the LdapConfig or ActiveDirectoryConfig child.
- Configure the Kerberos Authenticator child of the LdapConfig or ActiveDirectoryConfig component. See Configuring the Kerberos Authenticator component.