Skip to main content
LinkedIn
Copied!

Table of Contents

Configuring Active Directory to use Kerberos

After you create users and systems inside an AD domain, define the Pega Platform server and configure service principal names (SPNs) for users. Kerberos uses SPNs, which uniquely identify service instances, to associate a service with a service logon account.

  1. Enter either the ktpass.exe or setspn.exe command to map the Pega Platform server and Pega Platform users to their server and client systems. On the domain controller server, which is the system on which Active Directory Domain Services (AD DS) is running, perform one of the following actions:

    Choices Actions
    Run the ktpass.exe command, for example, for a KerbServUser server and KerbClientUser user,
    1. open the command line

    2. enter the following commands, where DOMAINNAME.COM is your fully qualified domain name, and SERVERHOSTNAME is the name of your Pega Platform system.

      ktpass.exe /out c:\KerbServUser_SPN.keytab /mapuser KerbServer@DOMAINNAME.COM /princ HTTP/SERVERHOSTNAME@DOMAINNAME.COM /pass password /crypto all /ptype KRB5_NT_PRINCIPAL /kvno 0
      TRHOSTNAME SPN and the C:\KerbServUser_SPN.keytab.keytab file for this SPN. The keytab file contains the SPN credentials.

      You can use the generated .keytab file to provide login credentials to Tomcat by modifying the web.xml and login.conf files. For more information, see Configuring Tomcat to enable client systems to connect to Pega Platform.

    Use the setspn.exe command to configure SPNs without using a .keytab file,
    1. Open the command line

    2. Enter the following commands, ensuring that all computers and users are in the same domain:

      Setspn.exe -A HTTP/SERVERHOSTNAME KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME@DOMAINNAME.COM KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME.DOMAINNAME.COM KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME.DOMAINNAME.COM@DOMAINNAME.COM KerbServUser
      Do not register an SPN to more than one user name. A user name can have more than one SPN registered, but an SPN can be mapped only to one user.
  2. Optional:

    To display the SPNs for a user, use the command: setspn –l<user_name>

  3. Enable delegation for users by clicking Trust this user for delegation to any service (Kerberos only) in Active Directory.

  4. Configure the Kerberos policy to use AES-128 bit encryption on both the domain controller server and on the system running the Apache Tomcat server.

  5. Enable AES-128 bit encryption for the user.

    Enabling the AES-128 Kerberos group policy on the domain controller server can cause the existing infrastructure to become inoperable, because the system might be using RC4 by default. Check with your system administrators before making any changes.
    For added security, you can use AES-256 encryption. Download the Java Cryptography Extension (JCE) Unlimited Strength security libraries from the Oracle website and place them in the jre/lib/security and jdk/jre/lib/security directories. You must also change the Kerberos group policy to use AES-256 bit encryption.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us