Kerberos Authentication

Mindbreeze InSpire

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2017.

All rights reserved. All hardware and software names are brand names and/or trademarks of their respective manufacturers.

These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes or other protected rights. The dissemination, publication or reproduction hereof is prohibited.

For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

IntroductionPermanent link for this heading

Kerberos authentication can be used in the following scenarios:

  • A connector works as a Kerberos user. See section "Connector authentication with Kerberos"
  • Users can log in as Kerberos users when searching. See section "Client authentication with Kerberos"

The following requirements need to be fulfilled:

RequirementsPermanent link for this heading

Connector authentication with KerberosPermanent link for this heading

For Kerberos-based authentication with Active Directory, you must create a user in the Active Directory who has the correct permissions for the data source (see documentation for the respective connector).

Client authentication with KerberosPermanent link for this heading

For Kerberos-based authentication with Active Directory, you must create a service user in the Active Directory − for example, mindbreeze.service. Please make sure that the following requirements are fulfilled:

  • The user exists in Active Directory
  • The user is registered with the Service Principal Name HTTP/<vollqualifizierter Hostname für Mindbreeze InSpire>
  • You can set the Service Principal Name as the Active Directory Domain Administrator in a Windows prompt with the following command:

setspn –s HTTP/<vollqualifizierter Hostname für Mindbreeze InSpire> <domain>\<mindbreeze.service>

Example:

setspn –s HTTP/search.firmenname.com firmenname\mindbreeze.service

ConfigurationPermanent link for this heading

GeneralPermanent link for this heading

You can find the Kerberos configuration in the Management Center under “Setup” “Kerberos“.

You need to create a Kerberos configuration if it does not already exist.

To do this, you have the following options:

  • Automatic determination of the configuration using “Detect Config”
  • Manual configuration

If you would like to use the option for automatic determination of the configuration, click "Detect Config", which uses the DNS settings of the operating system to determine the "REALM", "Domain Controller KDC" and "DNS Domain".

Requirements for the automatic determination of the configuration:

  • Hostname can be resolved via DNS (forward and reverse lookup)

For manual configuration, the following settings need to be made:

“REALM“

Realm of the domain, usually the domain in uppercase

“Domain Controller/KDC“

Domain controller or Kerberos server to be used.

“DNS Domain“

DNS domain name

Then click "Save Config" to save the Kerberos configuration.

Various verification steps are performed during saving. If errors occur, the properties involved will be marked in red and the system outputs the corresponding error messages. Correct the entered values or make sure that the relevant infrastructure is running correctly and is accessible. Then click "Save Config" again.

If everything is saved correctly, two new sections will appear below:

  • Generate “Connector“ Keytab
  • Generate “Search Client“ Keytab

Connector authentication with KerberosPermanent link for this heading

After the Kerberos configuration has been successfully saved, expand the "Generate ‘Connector’ Keytab" section. Now specify the login data for the user with whom the connector is going to work. In the "Service User" property, specify the full user name and enter the corresponding password in the "Password" property.

Then click on "Generate Keytab".

Various verification steps are performed during the generation. If errors occur, the properties involved will be marked in red and the system outputs the corresponding error messages. Correct the entered values or make sure that the relevant infrastructure is running correctly and is accessible. Then click "Generate Keytab" again.

If the data is correct, a new section "’Connector’ Keytab" appears below:

The entries in the keytab are displayed in a table. To download the keytab file, click "Download Keytab File". Make a note of the "Principal" name (user name) as this name will be required later.

Then switch to the "Configuration" section in the Management Center and select the "Authentication" tab. Select the downloaded keytab file and click "Upload".

After successfully uploading, the keytab file appears in the Available Keytabs list.

Then, in the "Setup Kerberos Authentication" section, select the desired keytab file for the connector, and enter the principal name that you previously noted.

Then save the configuration and restart.

Client authentication with KerberosPermanent link for this heading

After the Kerberos configuration has been saved successfully, expand the "Generate ‘Search Client’ Keytab" section. Under “Client hostname”, enter the hostname that you want to use for the client service. Now enter the login data for the service user. In the "Service User" property, specify the full user name and enter the corresponding password in the "Password" property.

Then click "Generate Keytab".

During the generation, various verification steps are executed. If errors occur, the respective properties are colored red and the system outputs relevant error messages. Correct the entered values or make sure that the relevant infrastructure is running correctly and is accessible. Then click "Generate Keytab" again.

If the data is correct, a new section “’Search Client’ Keytab” appears below:

The entries in the keytab are displayed in a table. To download the keytab file, click "Download Keytab File". Note the "Principal" name (beginning with "HTTP/"), which is required later.

Then change to the "Configuration" section in the Management Center and select the "Authentication" tab. Select the downloaded keytab file and click "Upload".

After successfully uploading, the keytab file appears in the Available Keytabs list.

Then, in the "Kerberos Authentication" section, select the desired keytab file for the client service and enter the principal name that you previously noted.

Then save the configuration and restart.