Configuring Active Directory to use Kerberos
After you create users and systems inside an AD domain, define the Pega Platform server and configure service principal names (SPNs) for users. Kerberos uses SPNs, which uniquely identify service instances, to associate a service with a service logon account.
Enter either the
setspn.execommand to map the Pega Platform server and Pega Platform users to their server and client systems. On the domain controller server, which is the system on which Active Directory Domain Services (AD DS) is running, perform one of the following actions:
Choices Actions Run the ktpass.exe command, for example, for a KerbServUser server and KerbClientUser user,
open the command line
enter the following commands, where DOMAINNAME.COM is your fully qualified domain name, and SERVERHOSTNAME is the name of your Pega Platform system.
ktpass.exe /out c:\KerbServUser_SPN.keytab /mapuser KerbServer@DOMAINNAME.COM /princ HTTP/SERVERHOSTNAME@DOMAINNAME.COM /pass password /crypto all /ptype KRB5_NT_PRINCIPAL /kvno 0TRHOSTNAME SPN and the
C:\KerbServUser_SPN.keytab.keytabfile for this SPN. The keytab file contains the SPN credentials.
You can use the generated
.keytabfile to provide login credentials to Tomcat by modifying the
login.conffiles. For more information, see Configuring Tomcat to enable client systems to connect to Pega Platform.
Use the setspn.exe command to configure SPNs without using a .keytab file,
Open the command line
Enter the following commands, ensuring that all computers and users are in the same domain:
Setspn.exe -A HTTP/SERVERHOSTNAME KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME@DOMAINNAME.COM KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME.DOMAINNAME.COM KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME.DOMAINNAME.COM@DOMAINNAME.COM KerbServUserDo not register an SPN to more than one user name. A user name can have more than one SPN registered, but an SPN can be mapped only to one user.
To display the SPNs for a user, use the command:
Enable delegation for users by clicking Trust this user for delegation to any service (Kerberos only) in Active Directory.
Configure the Kerberos policy to use AES-128 bit encryption on both the domain controller server and on the system running the Apache Tomcat server.
Enable AES-128 bit encryption for the user.Enabling the AES-128 Kerberos group policy on the domain controller server can cause the existing infrastructure to become inoperable, because the system might be using RC4 by default. Check with your system administrators before making any changes.For added security, you can use AES-256 encryption. Download the Java Cryptography Extension (JCE) Unlimited Strength security libraries from the Oracle website and place them in the jre/lib/security and
jdk/jre/lib/securitydirectories. You must also change the Kerberos group policy to use AES-256 bit encryption.
- Configuring Tomcat to enable client systems to connect to Pega Platform
Configure Tomcat with SPNEGO libraries so that client systems can connect to Pega Platform.