Depending on the functional level of your domain, there are various delegation options which may be available and presented to you for configuration.
Before you can configure delegation options for these domain functional levels, you must have set up at least one SPN mapping in the account. Option choices for delegation configuration are not available in the Windows interface until a mapping has been set.
Delegation options are configured from the separate Delegation tab in the Properties pane for the service account. Options here include:
The Constrained delegation choice has further configuration sub-options to either permit the Protocol transition (S4U2Self) extension (Use any authentication protocol), or exclude it (Use Kerberos only).
Figure 8: Configuration options in Delegation tab
The Constrained delegation option requires further action: to select all the Active-Directory services and computers to which the service account is permitted to delegate. To start this process, click the Add button. An Add Services window opens, holding a list box for Available Services. Above that, a Users and Computers choice leads to a further search and selection window (Select Users or Computers).
Figure 9: Finding and adding services for delegation
The search panel Check Names button permits a “begins with...” type of name searching, while an Advanced button opens a sub-panel with more complex facilities for pattern search options.
Figure 10: Nominating a host with services to delegate to
Figure 11: Selecting a service account object for its mapped services
Select an object name in the Select Users or Computers window, and click OK.
You are returned to the Add Services window, populated with a listing of the services which are available for you to delegate to on the computer host or service account chosen. Make a selection from the Add Services list, and click OK, to return to your Delegation tab in the Properties window, where your selections have been collected in a list panel.
Figure 12: Collected services list
|
Note: If you have configured more than one SPN for a service (for example, using both a fully-qualified hostname and an unqualified hostname), the list in the panel initially displays only one instance of that service, even though both are actually selected. To view all instances selected, set the Expanded option in this window: |
Figure 13: Expanded selection of services for delegation
If you need to, you can remove one or more services from this display of selected services. When satisfied that your selected list is correct, click OK to finalize your configuration.
See the release notes (HTML) for a comprehensive list of application servers supported by Single Sign-on for Java. It is presumed here that you have installed one such server using standard procedures laid down for the server concerned.
If your application server and Active Directory are separated by a firewall, you need to open the following ports on the firewall to allow Kerberos to work properly:
Single Sign-on for Java supports two mechanisms for storing key information required to authenticate users — setting a password and using keytabs. In general, use of keytabs is to be preferred for production systems, but for ease of initial setup and evaluation, the password approach is probably more convenient.
To create a keytab file
First, generate keytab files for each service that requires authentication. This can be done with the tools included with the Single Sign-on for Java release. For more information, see Appendix: Using the JKTools.
From the bin/ directory of your Single Sign-on for Java distribution, run the jktutil tool and take the following steps:
jktutil (type '?' for help): add_entry -password -p
vsj_appservhost1@EXAMPLE.COM -k 255 -e rc4-hmac
Password for vsj_appservhost1@EXAMPLE.COM:
Note: You may use addent as an alias for add_entry. |
jktutil (type '?' for help): add_entry -password -p
vsj_appservhost1@EXAMPLE.COM -k 255 -e aes256-sha1
Password for vsj_appservhost1@EXAMPLE.COM:
jktutil (type '?' for help): add_entry -password -p
vsj_appservhost1@EXAMPLE.COM -k 255 -e aes128-sha1
Password for vsj_appservhost1@EXAMPLE.COM:
jktutil (type '?' for help): write_kt
-o vsj_appservhost1.keytab
jktutil (type '?' for help): quit
To confirm the contents of the created keytab, run the jklist tool with the arguments -e -k vsj_appservhost1.keytab. The output should look similar to this:
Keytab name: FILE:vsj_appservhost1.keytab
KVNO Principal EncType
---- --------------------------- -----------
255 vsj_appservhost1@EXAMPLE.COM rc4-hmac
255 vsj_appservhost1@EXAMPLE.COM aes256-cts-hmac-sha1-96
255 vsj_appservhost1@EXAMPLE.COM aes128-cts-hmac-sha1-96
To use the keytab file with Single Sign-on for Java
The idm.keytab parameter value should point to the keytab file you generated for this service when you set up the application server.
The new keytab contains sensitive information that could be used to subvert the security of your Single Sign-on for Java installation. Ensure that you set appropriate access permissions on this file. Do not send it over unsecured networks unencrypted.
© ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center