...
Before you configure your environment for Kerberos, it might also be useful to know how browser users are authenticated using Kerberos:
Expand | ||
---|---|---|
| ||
First, the browser decides if Kerberos should be enabled for the given site. See our browser configuration guide. If Kerberos is not enabled in the browser, you will see the regular username/password dialog instead. |
Expand | ||
---|---|---|
| ||
Your browser needs to determine the canonical DNS name of your site. If issues.example.com is an A record, then that is also the canonical name of the site. However, issues.example.com can also be a CNAME alias to a different host, say server123.example.com. In that case, server123.example.com is the canonical name of the site. Use the command In the below example of nslookup issues.example.com is an A record (canonical name), while documentation.example.com is a CNAME alias pointing to the A record wiki.example.com. So if you want to create a keytab for the site https://documentation.example.com, you would use wiki.example.com as the canonical name. |
Expand | ||
---|---|---|
|
...
The Service Principal Name (SPN) of a site is always on the form The Realm is the Active Directory domain name in dot-separated, uppercase format, e.g., EXAMPLE.LOCAL With the canonical name issues.example.com, and a realm of EXAMPLE.LOCAL, the Service Principal Name is |
Expand | ||
---|---|---|
| ||
Your browser now sends a request to Active Directory, asking for a service ticket for Active Directory performs a search in the @EXAMPLE.LOCAL domain for an account with a servicePrincipalName attribute of HTTP/issues.example.com. If only a single account is found with this SPN, then a service ticket is issued to the client. |
Expand | ||
---|---|---|
| ||
The browser wraps the Kerberos service ticket in a SPNEGO packet and sends it to the site as an HTTP header. Kantega SSO Enterprise decodes, parses, and verifies the service ticket against the configured keytab file. If the Kerberos ticket is valid, the user name is extracted, an account is looked up in the product using any configured User Directories, and the user is logged in.
|