NOTE: This document assumes administrator has already configured Kerberos setup between Linux and Active Directory machines.
The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.
The Kerberos authentication protocol provides a mechanism for mutual authentication between entities before a secure network connection is established. Throughout this documentation, the two entities are called the client and the server even though secure network connections can be made between servers. Both client and server can also be referred to as security principals.
Kerberos Authentication benefits
Kerberos protocol strong mutual authentication post which both client and server trust each other, along with that Kerberos also provides some other key features.
- 1. Mutual authentication
- 2. Delegated authentication
- 3. Interoperability
- 4. Efficient use of authentication server.
These features enable Kerberos strong contender for Single Sign On even on open networks.
EEM – Kerberos support
EEM already supports Windows Kerberos authentication for Windows machines which are under Active Domain (configuration and support of the same will not be discussed here). The support for Kerberos authentication in EEM has been extended to enable Kerberos authentication on a Linux node (registered as computer in Active Directory)
EEM follows Kerberos (v5) for authentication and follows the standard Service Principal Name based approach to identify services and service providers.
The EEM current solution now solves the below use-case where the service provider (like webserver) is residing on a Linux host machine and protects its page using Kerberos authentication. Authentication is performed using Kerberos digest using the following steps:
- User tries to access resource from Web Application which is protected using Kerberos authentication.
- Web Application challenges Browser (client) to negotiate with Kerberos digest.
- Browser fetches Kerberos digest from Active Directory (this negotiation is internal to Windows client and Active Directory) and sends to Web Application.
- Web Application redirects the digest to EEM server for verification using authenticateWithDigest API.
- EEM server validates digest, if digest is validated it creates and session for the user.
Prior to configure EEM for Kerberos authentication Kerberos setup between Linux Node and Active Directory machine has to be performed. Basic steps have been listed below.
- Key Distribution Center (KDC) has been enabled in Active Directory
- Linux machine has been joined to Active Directory
- Service Principal Name (SPN) has been created with the format HTTP/fqdn-linuxhost@domain
- An key table (keytab) file has been generated for the SPN
- Time has been synchronized between Linux host and Active Directory
Note: These are the essentials steps and reference links has been added in appendix
Configuring EEM Server for Kerberos
EEM provides UI for Kerberos configuration (LINUX only) and uses absolute path as input reference for Kerberos configuration.
Navigation path Kerberos configuration: Configure->EEM Server->Kerberos Configuration
EEM asks for these configuration each of which has been detailed and explained below
Absolute path to Kerberos configuration file in linux host
Absolute path to keytab file with credentials for Service Principal Name
Service Principal Name
Service Principal Name to identify service and host
Credential Cache Path
Absolute path to credential cache file
- How Kerberos works - http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
- Kerberos benefit - http://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx
- Configure Linux Machine for Kerberos - https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html#About_Kerberos