Configuring the Kerberos Authenticator component

Configuration requires prerequisite Kerberos information. See the System requirements subsection: Kerberos prerequisites.

To configure the KerberosAuthenticator component

With the station open in Workbench, expand the user service in the Nav tree, including the ActiveDirectoryConfig node or LdapConfig node to see its child authenticator.
Double-click the KerberosAuthenticator to configure its properties, as follows.
- Realm
  
  The Kerberos realm on which the LDAP server resides, usually in all UPPERCASE letters, for example “EXAMPLE.COM”. Typically, you get this information from the Kerberos administrator.
- Realm Display Name
  
  (usage optional) This field is blank by default. When accessing the station from a web browser, any text entered here replaces the “Realm” text in the lower “SSO area” of the station login dialog. For an example that matches the properties above, see Figure 15.
- Key Distribution Center
  
  Name of the Kerberos Key Distribution Center, from which Kerberos users must contact to get tickets, for example “kdc.example.com”. Again, you typically get this from the Kerberos administrator. Also see Kerberos authentication notes about DNS considerations.
- Station Kerberos Name
  
  As part of securely delegating Kerberos tickets, the station must be a user in the Kerberos database, where this field represents the station in Kerberos. If logging in only via Workbench, this user can be any user or service in the Kerberos directory.
  
  However, if logging in via a browser, the user must be a service in the form “HTTP/serviceName.domain.com”, where “serviceName.domain.com” is how the station is to be accessed in the browser, (e.g. http://jacekerb1.mydomain.com).
  
  The service name for station Kerberos name typically omits a bit of the normal http URL syntax, for example: http/jacekerb1.mydomain.net instead of http://jacekerb1.mydomain.net
  
  You may need to ask the Kerberos administrator to create the service for you in the Kerberos database.
- Station Kerberos Password
  
  The password for the Kerberos station user specified by the “Station Kerberos Name”. If using a keytab file, you can leave this blank (default).
- KeyTab Location
  
  Kerberos services typically do not use a password to authenticate. Instead, they use a file containing a key table (keytab file). If you want authentication from a web browser, you must specify an associated service in the “Station Kerberos Name” property, and reference a keytab file supplied by the Kerberos administrator.
  
  Copy that keytab file to a secure location on the NiagaraAX platform, somewhere under the station’s file space. For example, copy it into the root of the station’s file space. This in this KeyTab Location property field, use the File Ord Chooser to browse to it for selection. Again, if using a keytab, you can leave the “Station Kerberos Password” property value blank (default).

Kerberos authentication notes

Kerberos is very particular about names. You must enter the station name in the “Station Kerberos Name” property exactly as it appears in the Kerberos database. Upper/lowercase can sometimes be an issue, so make sure you have an exact match.
Kerberos uses “reverse DNS” to find the referenced Key Distribution Center. Therefore, it is essential to have a reverse DNS entry on both the client and station’s DNS servers.

Otherwise, you will not be able to acquire Kerberos tickets, and you will not be able to log in. Contact the IT administrator to see if the appropriate entry exists on the server.
As an alternative to having proper reverse DNS entry, you may also configure the hosts file on client PCs and station host(s) to map the IP address of the Key Distribution Center to its name.For example, if the Key Distribution Center’s name is kdc.domain.net, and its IP address is 123.156.78.90, add the following line to the hosts file:123.156.78.90 kdc.domain.netOn Windows PCs, the hosts file is located at C:\Windows\System32\drivers\etc\hosts and on Linux hosts at /etc/hosts. On JACE platforms, use the platform TCP/IP Configuration view (or equivalent view on the station’s TcpIpPlatformService) to access/edit the hosts file.Finally, while modifying the hosts file is simple enough for a single station, and can be useful for testing your Kerberos setup, this approach can be tedious when dealing with multiple stations and multiple client machines. Setting up DNS servers with reverse DNS entries is the best option, if available.
Login access to a Kerberos/LDAP station typically presents a different login dialog than when using the regular UserService. For operation details, see Kerberos and NiagaraAX login operation.