Configuring Kerberos Authentication

Default Setting: Selecting the Default UI field indicates the authentication profile that is currently set as a default UI authentication type. However, there is no compulsion that only one authentication profile should be the default for the UI authentications.

Kerberos is an authentication profile which is configured by the master tenant using the System Console. This authentication profile is common across all tenants. There can be only one Kerberos authentication profile.

If you choose Kerberos while Creating an Authentication Profile, the following are required:

Platform must run on a named server (not localhost). Using the fully qualified domain name is recommended, for example, http://rbinstance.mydomain.com. The hostname in the Platform license file will be rbinstance.mydomain.com.
Set up Active Directory (AD) as described below.
Update the Shared Properties with the settings described below.
Create new Customer(s) (tenants) as described below.
Select Windows (Kerberos) as the authentication type as described below
Set up browsers as described below.

Setting up Active Directory

Create a user in Active Directory as follows:

The password does not expire.
The password should not need to be reset on first login.
Enable Trust this user for delegate to any service (Kerberos Only).
setspn -a HTTP/<rbinstance>
setspn -a HTTP/<rbinstance.mydomain.com>

Ensure that the two SPNs are not associated with any other Active Directory account.

Enabling Kerberos authentication in Shared Properties

The Platform server should be part of the Active Directory domain.

Set the following properties in Shared Properties:

KerberosDomainName=<Windows Domain Name>, for example, MyDomain.MyCompany.com
KerberosDomainController=<Domain Controller> (the Kerberos Ticket Issuing Server), for example, MyTicketIssuingServer.MyDomain.MyCompany.com
KerberosUsername=<AD account user name> (used for authentication)
KerberosPassword=<AD account password> (used for authentication)
Uncomment the property KerberosDebug.
Authentication can be set as global or per tenant. To set as global, set the property defaultAuthType=Kerberos.

Once you have set the properties, restart the Platform server.

Creating new Customer(s)

After restarting Platform, create Customers as follows:

Log into the master tenant as the master administrator.
Create a new Customer where the login name of user matches the username in Windows. The Customer will be provisioned with the first admin having a local initial password.
Log into the new tenant as the first administrator using the password from the welcome email.
Add more users as needed. Each user’s login name should match their Windows username.
Enable support access so you can use the support login from the master tenant.

Selecting Windows (Kerberos) as the authentication type

Once you have enabled Kerberos authentication, select the authentication type:

From the Setup home screen, select Authentication under Administrative Setup.
In the Authentication Type table, select Windows (Kerberos).
Verify that you have completed the prerequisite steps and click Save.
Log out of Platform.
Open http://<rbinstance.mydomain.com>/router/login/loginKerberos.jsp in a browser from any machine where the users that were added are logged into. This will log the users into their Platform accounts.

Setting up browsers

(Optional) Ensure that the browser identifies the host as an intranet site (Consult the respective browser help for how to do this).

Enable Kerberos on Firefox: http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html

Troubleshooting tips

Make sure DNS does not have invalid caches in any of the machines.
SPNs should not be associated with multiple accounts. Sometime machine accounts are created with hostname as SPNs automatically and this might clash with the delegate user account you create.
If there is a cryptography error, install Java Cryptography Extension (JCE) for the appropriate JDK.