When a user wants to authenticate to a service
in a Kerberos realm, a series of
steps must be taken to perform the authentication. The client (the
user’s machine) must obtain credentials from the Kerberos
servers, which are the Authentication Server
(AS) and the Ticket Granting
Server (TGS). The AS and the TGS reside on the same machine
and are referred to as the Key Distribution
Center (KDC). Kerberos Authentication ProcedureThe following outlines the process when a user
accesses secure services in a Kerberos realm. The process only occurs when the user initially
logs in to a Kerberos realm and tries
to perform the first access to a Kerberos-secured service. The
user logs in to the system (client) using his or her domain username
and password. The
user’s password is hashed, and this hash becomes the user’s
secret key. When
the user tries to access a service, a message informs the AS that
the user wants to access that service. If
the user is in the AS database, two messages are sent back to the
client: A
Client/TGS session key is encrypted with the user’s secret
key, which is used in the communication with the TGS. A
Ticket-Granting Ticket (TGT) is encrypted with the secret key of the
TGS. A ticket is used in Kerberos to prove one’s identity. The
TGT allows the client to obtain other tickets for communication with
network services.
Upon
receiving these two messages, the client decrypts the message containing
the Client/TGS session key.
The following process occurs every time a user
wants to authenticate to a service: When
the user requests a service, the client sends two messages to the
TGS: A message composed of
the TGT and the requested service An authenticator, is
made up of the client’s ID and the current timestamp encrypted
with the Client/TGS session key received before
Timestamps are used in Kerberos to avoid replication attacks. The clock skew
among machines cannot exceed a specific limit. The
TGS decrypts the authenticator and sends two new messages back to
the client: The client-to-server
ticket received from the TGS Another authenticator,
made up of the client’s ID and the current timestamp, encrypted
with the client/server session key
The
service decrypts the client-to-server ticket with its own secret key
and sends the client a message with the received timestamp plus one,
confirming its true identity. This message is encrypted with the client/server
session key. The
client decrypts the message and checks the timestamp. If it is correct,
requests may be issued to the service and it sends responses back
as expected.
HP SMH Kerberos AuthenticationHP SMH provides Kerberos Single Sign-On (SSO), allowing users in a Kerberos realm to log in without entering a
user name and password in the Sign In page. If an allowed user accesses HP SMH and has valid Kerberos credentials, the Home page appears inside HP SMH. Kerberos authentication
is done using the special URL /proxy/Kerberos in HP SMH. By accessing the URL, SMH looks for Kerberos credentials in the request and perform
user authentication. If the user does not have valid Kerberos credentials or if an error occurs
during the authentication process, the Sign
In page appears, showing an error message. For example,
if the clock skew among the machines involved in authentication is
too large, you receive an error message and are taken to the Sign In page. Kerberos authentication does not work on the
following local access situations: Accessing HP SMH from
the machine where the KDC (AD) is installed Accessing HP SMH from
the machine where HP SMH is installed
When an authentication error occurs, the system
administrator should check the SMH HTTP server error log to obtain
more information about the error. For example, when the clock skew among the machines
is too large, the following log message is written: Thu Jun 25 16:55:09 2009] [error] client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6]
mod_spnego: Kerberos SSO (QueryContextAttributes) failed; SSPI: The
function requested is not supported\r\n(-2146893054). The following levels of user authorizations are
available: Administrator Users with Administrator access can view all information provided through HP SMH. The
appropriate default user group, Administrators for Windows operating systems and the root user on Linux operating
systems always has administrative access. Operator Users with Operator access can view and set most information provided through HP SMH.
Some web applications limit access to the most critical information
to administrators only. User Users with User access can view most information provided through HP SMH.
Some web applications restrict viewing of critical information from
individuals with User access.
To enable or disable Kerberos and add groups to the allowed Kerberos group list, complete the following steps for each level of access. Kerberos support
is provided on a per-user basis. Kerberos Administrator To add a Kerberos Administrator: Select Settings from the menu. In
the System Management Homepage box, click the Security link. Click
the Kerberos Authorization link. In
the Kerberos Configuration area,
select the box beside Enable Kerberos Support. In
the Group Name textbox, enter a name
in the group@REALM format or REALM\group Only alphanumeric
and underline values are permitted. The use of special characters
such as ~ ' ! # $ % ^ & * ( ) + = / " : ' <
> ? , | ; are not permitted. Click
the Administrator radio button beside Type. Click [Add]. The values
entered are added as a new line in the list table. You can continue to add groups with administrative
access by following steps 5 through 7. Click [Apply].
To remove a Kerberos Administrator: Select Settings from the menu. In
the System Management Homepage box, click the Security link. Click
the Kerberos Authorization link. Click
the check box beside the Group Name in the dynamic list that you want to remove from HP SMH. Click [Remove]. Click [Apply].
Kerberos Operator To add a Kerberos Operator: Select Settings from the menu. In
the System Management Homepage box, click the Security link. Click
the Kerberos Authorization link. In
the Kerberos Configuration area,
select the box beside Enable Kerberos Support. In
the Group Name textbox, enter a name
in the group@REALM format or REALM\groupname. Only alphanumeric
and underline values are permitted. The use of special characters
such as ~ ' ! # $ % ^ & * ( ) + = / " : ' <
> ? , | ; are not permitted. Click
the Operator radio button beside Type. Click [Add]. The values
entered are added as a new line in the list table. You can continue to add groups with operator access
by following steps 5 through 7. Click [Apply].
To remove a Kerberos Operator: Select Settings from the menu. In
the System Management Homepage box, click the Security link. Click
the Kerberos Authorization link. Select
the check box beside the Group Name in the dynamic list that you want to remove from HP SMH. Click [Remove]. Click [Apply].
Kerberos User To add a Kerberos User: Select Settings from the menu. In
the System Management Homepage box, click the Security link. Click
the Kerberos Authorization link. In
the Kerberos Configuration area,
select the box beside Enable Kerberos Support. In
the Group Name textbox, enter a name
in the group@REALM format or REALM\groupname. Only alphanumeric
and underline values are permitted. The use of special characters
such as ~ ' ! # $ % ^ & * ( ) + = / " : ' <
> ? , | ; are not permitted. Click
the User radio button beside Type. Click [Add]. The values
entered are added as a new line in the list table. You may continue to add groups with user access by
following steps 5 through 7. Click [Apply].
To remove a Kerberos User: Select Settings from the menu. In
the System Management Homepage box, click the Security link. Click
the Kerberos Authorization link. Select
the check box beside the Group Name in the dynamic list that you want to remove from HP SMH. Click [Remove]. Click [Apply].
Related ProceduresRelated Topic
|