When a user wants to authenticate to a service in a Kerberos realm, a series of steps must be taken to perform the authentication. The client (the user’s machine) must obtain credentials from the Kerberos servers, which are the Authentication Server (AS) and the Ticket Granting Server (TGS).

The AS and the TGS reside on the same machine and are referred to as the Key Distribution Center (KDC).

Kerberos Authentication Procedure

The following outlines the process when a user accesses secure services in a Kerberos realm.

The process only occurs when the user initially logs in to a Kerberos realm and tries to perform the first access to a Kerberos-secured service.

The following process occurs every time a user wants to authenticate to a service:

HP SMH Kerberos Authentication

HP SMH provides Kerberos Single Sign-On (SSO), allowing users in a Kerberos realm to log in without entering a user name and password in the Sign In page. If an allowed user accesses HP SMH and has valid Kerberos credentials, the Home page appears inside HP SMH.

Kerberos authentication is done using the special URL /proxy/Kerberos in HP SMH. By accessing the URL, SMH looks for Kerberos credentials in the request and perform user authentication.

If the user does not have valid Kerberos credentials or if an error occurs during the authentication process, the Sign In page appears, showing an error message. For example, if the clock skew among the machines involved in authentication is too large, you receive an error message and are taken to the Sign In page.

Kerberos authentication does not work on the following local access situations:

When an authentication error occurs, the system administrator should check the SMH HTTP server error log to obtain more information about the error.

For example, when the clock skew among the machines is too large, the following log message is written: Thu Jun 25 16:55:09 2009] [error] client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6] mod_spnego: Kerberos SSO (QueryContextAttributes) failed; SSPI: The function requested is not supported\r\n(-2146893054).

The following levels of user authorizations are available:

To enable or disable Kerberos and add groups to the allowed Kerberos group list, complete the following steps for each level of access.

Kerberos support is provided on a per-user basis.

Kerberos Administrator

To add a Kerberos Administrator:

To remove a Kerberos Administrator:

Kerberos Operator

To add a Kerberos Operator:

To remove a Kerberos Operator:

Kerberos User

To add a Kerberos User:

To remove a Kerberos User:

Related Procedures

Anonymous/Local Access
IP Binding
IP Restricted Login
Local Server Certificate
Alternative Names Certificates
Port 2301 and Autostart (Linux only)
Timeouts
Trust Mode
Trusted Management Servers
User Groups

Related Topic

The Settings Page