 Hello everyone, my name is John McKnight. I'm with BMC support and today we're covering a Remedy SSO Kerberos configuration based on the details from Jean Christophe's blog as you can see on the screen We'll be using a lot of the information that's in this blog except for the load balancer components The first thing will be testing will be the Kerberos SPN configuration And then after that example, we'll do the key tab configuration All right, so the first step is we're going to go into the Remedy SSO admin console Or our SSO as I'll call it from this point on Okay Log in using the admin account And the default password You'll notice it logs into the general under server configuration general section And we have server log level set to debug. So now we're going to go to realm And this is where we'll be configuring Kerberos We're using the default realm and this is a test environment Authentication so we already have authentication typeset for Kerberos. These are the other types that we have So in this Configuration our KDC server with Jean Christophe's blog is in a different domain So we have diffdom.com and this KDC is a domain controller holding the Kerberos server The service principal name is the principal name we set up from the blog For what's set SPN command and then the Kerberos realm is diffdom.com So you'll note here that uh, this is all upper case and you want to keep that in mind when you're setting up your own SPN or key tab because these are the realm is case sensitive and uh, if it's different You know like lower case and you click test you'll get a failure So see unable to connect to KDC So we want to keep that That's the same case as it is defined Credential type is the SPN password. So this is the type we're using We'll get into some of the configuration details for SPN and key tab later in the video Key tab file since we've selected this this is a no entry. So you don't actually use it The SPN password Is the password that you used when you set up the principal name with the set SPN command And these other options aren't used For this test environment. Okay, so i'm going to go ahead and click cancel because it's already configured And the next step will be uh to Test a login and so we'll do that right now By going at now since we're in a different domain We uh, we have to log into the domain as the user That that'll have credentials there in order to get authenticated Even though rso is in in bmc.com and diff dom is in you know a different domain We're going to log in for uh diff dom here So in this case we'll be logging in with the demo account, which is a default for ar server Okay Okay, so we've logged in with that account and now we will uh Go ahead and log into Our remedy sso at this point. We'll go to the rso mid tier login, which I already have Defined here So that's going to rso server and now it's going to use a um configuration to connect i'm gonna go ahead and Make that wide screen there. Okay, so we're already loading And we're connected. All right, so i've noticed with usually the demo account It doesn't always show the um the welcome Account is kind of high up on the screen. You might not be able to see it. So I'm just going to log into the ar system administration console and we'll take a look at the user preferences to show who we're logged in as Okay, there we are. So that's the demo account. Okay So one other thing we have to do um Let me see here I got to shrink this screen for a second shrink this one as well I did want to take a moment to point out the um Internet Explorer configuration options, uh that are required for uh Kerberos authentication The first one is under and this this applies to chrome as well because chrome will read internet explorers security settings And we have this one here, uh enable integrated windows authentication So you'll have to have um that configured For browser for both internet explorer and chrome And then under uh security, we have the uh trusted sites You'll have to add in for example the uh the mid tier server that you're connecting to in the other domain the hdps colon slash slash mid tier dot bmc.com in this example And also because it's in another domain, we're using uh a custom connector Just just for testing purposes Uh and we had to set up a automatic login So that it'll come through across. Otherwise, there's no automation. Uh, it's just something to keep in mind for this example when you're When you're doing your own uh test of Kerberos, uh, if you're not using different domains, you may not see this The whole point of Kerberos is to get the encrypted automated login. All right You just uh Okay, next we're uh going to do a quick check on um The logging in rsso with uh kerberos just to give you an idea of how that works So i'm just going to clear this browser data Uh, and we're going to start over with the connection so that that can be observed Okay, so we're quickly going to just stop rsso And clear out the logging files or log files rather And okay, we'll start it back up. All right, so Now we're just waiting for the rsso log to show up here. So we know that rsso is working Okay, we got that Okay, as we can see the rsso.zero.log has been created. So uh rsso servers up and running so now we can do our test for um Automated login with kerberos and we'll be able to see it in the logs All right, so I have the rsso.zero.log loaded into a um A note pad editor One of the more advanced ones so you can use your favorite and uh to view the logs At this point and uh We'll see what the kerberos Communication looks like Okay, so we'll do the automated login with the demo account. All right, so it's beginning to log in now I should at some point see this file update. Otherwise, I'll just uh read it Okay. Oh, you'll see these kind of errors if you don't have your htps ssl setup. So Uh, you just have to skip through them in this case. Uh, so I don't have it set up at the moment So we have the login there And at some at this point over here, we should start seeing an update Reload the file Okay, so we're logged in and let's see. Let's reload this file Okay, so here's the uh file that's been reloaded and this is uh the start of the kerberos, uh communication uh at about line 184 line 185 and then it starts to Uh build the uh the kerberos, uh encryption through this encryption key information and then The sp Nego is where we see a lot of the information which starts like uh right here where you see the authorization equals negotiate on line 252 and then uh, we see some other information about the uh base 64 on encoded uh negotiation info at line 261 And then you start to see the uh the sp. Nego token And this indicates that you know it's communicating with kerberos So that's always a good sign where you can see that Let's go back up a little bit see that information there Okay, and this will give you a you know a rough idea of how to use How to troubleshoot and this is one of the first places you can go With rsso and debug mode to uh see what kind of errors are coming back If you think the the problem with is with uh rsso Or you just want to see how kerberos is uh the kdc server is uh interacting sometimes it can give an error Or something like that that can be useful for troubleshooting Okay, and now we're going to cover uh the key tab configuration Okay for the next step we're going to uh go over the key tab configuration for kerberos In this example, I've copied the key tab file that was generated on our kdc server in diffdom to the rsso server I've just put it in the c drive. So I just wanted to make a note of that location there Okay, and now we're going to go into the rsso admin console And look at the configuration of uh kerberos's key tab So, uh, there's not too many changes here. Um, one thing is is that you use this uh command called kt pass, which we'll look at In a moment And we've changed how the server principal name is set up using this format instead of a um a username service account So it's just saying this this server because you know, it's going to a file now Kerberos realm is the same Credential type we have key tab file and we have uh pointed to it as uh shown earlier The spn password. This is no longer in use. It's just showing it there, but it's not actually Doing anything. All right, so we'll do a small test here But the the name of the server's changed a little bit So I'm just putting the task manager over the name, but we're still testing it with the key tab file We just save that. All right. So at this point we can test Against it. We'll see how it looks No, that's the wrong one All right, so we're just going to log in with the demo account again For a automated login All right, and that's how the uh key tab file will is configured All right, so that concludes the kerberos configuration uh for key tab and set spn Uh, but we're just going to go over some of the um commands that are done on the uh kdc On the in the domain controller just to have some reference for For how that's done based on, uh, you know the detail in john christos blog If you want more information you can go there. He has several examples of how to use it and some of the errors that he encountered All right, so we will um Get out of the demo demo account here and Go back into The remote desktop configuration Okay, so at this point I've logged into the diff dom kdc with uh an administrator account And I just wanted to point out like here's the the service account that we created under users for my rso principle and um This is the the server you would want to be on to create uh your uh kerberos, uh spn or the key tab So here's uh an example of how to get help from uh set spn. You can do this And that will give some information Of how to use it uh kt pass It doesn't work with more, but you can use uh help and it'll just bring everything up of all the different possibilities You know the switches that it can use Now if we want to look at the like the my rso principle and find out Uh what it currently has we we do the spn set spn dash uh list And then the principal name See we have one there already so Now if we wanted to if we were setting this up again for uh The rso one we would do uh we could just use this command here for number one And then it updates it uh as you can see there and then if we do another list It'll show it there Okay, and then also with the uh key tab file if you wanted to generate your own You would just run kt pass and you have to tell it what file you're going to use and which uh Which account to map it to which we did use the uh my rso principle account And then the uh principal which is what you had seen With the uh the key tab configuration Earlier and then you know obviously the uh the password i've just made it password, but it can be anything So we could do Something like this And then this will generate it for key tab file two So we just uh generate it right here so you can see what that looks like See and then it just creates the uh the key tab and gives you some information And then It's created there and we would just need to copy this file over to the rso server And then point to it from the rso admin console in the realm configuration for kerberos Uh one last thing. Uh, we did want to point out the rso principal properties This is the way we had it set up In the kdc Server and notice how it just has this name right here and then the account tab Has some information about the the logon name being this and then You also want to make sure to have uh this check box Set up also or you'll get an error you could get an error in the rso Log it's That'll just say like a null error. So you want to check on do not require kerberos pre authentication Uh, otherwise you could you'll likely get a failure uh in in the connection Maybe perhaps even in the test connection or In a logon uh when you're when you're just trying to get into it And that pretty much wraps up, uh this kerberos configuration. So, um Hopefully this will uh be of use in your in your own setup and If you have any problems just let us know and we'll help you out. Thank you