HP

System Management Homepage

English
  The Settings page  |  Security  |  Kerberos Authorization procedure (Windows Only)   

Kerberos Authorization procedure (Windows Only)

»Table of Contents
»Index
»Product overview
»Getting started
»Navigating the software
»The Home page
»The Settings page
»SMH Data Source management
»SNMP configuration
»UI options
»UI properties
»User preferences
»Security
»Anonymous/Local Access
»IP Binding
»IP Restricted Login
»Local Server Certificate
»Alternative Names Certificates
»Port 2301 and Autostart (Linux only)
»Port 2301 (Windows only)
»Timeouts
»Trust Mode
»Trusted Management Servers
Kerberos Authorization procedure (Windows Only)
»User Groups
»The Tasks page
»The Logs page
»The Installed Webapps page
»The Support page
»The Help page
»Legal notices
»Glossary
»Using Help

When a user wants to authenticate to a service in a Kerberos realm, a series of steps must be taken to perform the authentication. The client (the user’s machine) must obtain credentials from the Kerberos servers, which are the Authentication Server (AS) and the Ticket Granting Server (TGS).

The AS and the TGS reside on the same machine and are referred to as the Key Distribution Center (KDC).

Kerberos Authentication Procedure

The following outlines the process when a user accesses secure services in a Kerberos realm.

The process only occurs when the user initially logs in to a Kerberos realm and tries to perform the first access to a Kerberos-secured service.

  1. The user logs in to the system (client) using his or her domain username and password.

  2. The user’s password is hashed, and this hash becomes the user’s secret key.

  3. When the user tries to access a service, a message informs the AS that the user wants to access that service.

  4. If the user is in the AS database, two messages are sent back to the client:

    1. A Client/TGS session key is encrypted with the user’s secret key, which is used in the communication with the TGS.

    2. A Ticket-Granting Ticket (TGT) is encrypted with the secret key of the TGS. A ticket is used in Kerberos to prove one’s identity. The TGT allows the client to obtain other tickets for communication with network services.

  5. Upon receiving these two messages, the client decrypts the message containing the Client/TGS session key.

The following process occurs every time a user wants to authenticate to a service:

  1. When the user requests a service, the client sends two messages to the TGS:

    • A message composed of the TGT and the requested service

    • An authenticator, is made up of the client’s ID and the current timestamp encrypted with the Client/TGS session key received before

    Timestamps are used in Kerberos to avoid replication attacks. The clock skew among machines cannot exceed a specific limit.

  2. The TGS decrypts the authenticator and sends two new messages back to the client:

    • The client-to-server ticket received from the TGS

    • Another authenticator, made up of the client’s ID and the current timestamp, encrypted with the client/server session key

  3. The service decrypts the client-to-server ticket with its own secret key and sends the client a message with the received timestamp plus one, confirming its true identity. This message is encrypted with the client/server session key.

  4. The client decrypts the message and checks the timestamp. If it is correct, requests may be issued to the service and it sends responses back as expected.

HP SMH Kerberos Authentication

HP SMH provides Kerberos Single Sign-On (SSO), allowing users in a Kerberos realm to log in without entering a user name and password in the Sign In page. If an allowed user accesses HP SMH and has valid Kerberos credentials, the Home page appears inside HP SMH.

Kerberos authentication is done using the special URL /proxy/Kerberos in HP SMH. By accessing the URL, SMH looks for Kerberos credentials in the request and perform user authentication.

If the user does not have valid Kerberos credentials or if an error occurs during the authentication process, the Sign In page appears, showing an error message. For example, if the clock skew among the machines involved in authentication is too large, you receive an error message and are taken to the Sign In page.

Kerberos authentication does not work on the following local access situations:

  • Accessing HP SMH from the machine where the KDC (AD) is installed

  • Accessing HP SMH from the machine where HP SMH is installed

When an authentication error occurs, the system administrator should check the SMH HTTP server error log to obtain more information about the error.

For example, when the clock skew among the machines is too large, the following log message is written: Thu Jun 25 16:55:09 2009] [error] client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6] mod_spnego: Kerberos SSO (QueryContextAttributes) failed; SSPI: The function requested is not supported\r\n(-2146893054).

The following levels of user authorizations are available:

  • Administrator  Users with Administrator access can view all information provided through HP SMH. The appropriate default user group, Administrators for Windows operating systems and the root user on Linux operating systems always has administrative access.

  • Operator  Users with Operator access can view and set most information provided through HP SMH. Some web applications limit access to the most critical information to administrators only.

  • User  Users with User access can view most information provided through HP SMH. Some web applications restrict viewing of critical information from individuals with User access.

To enable or disable Kerberos and add groups to the allowed Kerberos group list, complete the following steps for each level of access.

Kerberos support is provided on a per-user basis.

Kerberos Administrator

To add a Kerberos Administrator:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Kerberos Authorization link.

  4. In the Kerberos Configuration area, select the box beside Enable Kerberos Support.

  5. In the Group Name textbox, enter a name in the group@REALM format or REALM\group

    Only alphanumeric and underline values are permitted. The use of special characters such as ~ ' ! # $ % ^ & * ( ) + = / " : ' < > ? , | ; are not permitted.

  6. Click the Administrator radio button beside Type.

  7. Click [Add]. The values entered are added as a new line in the list table.

    You can continue to add groups with administrative access by following steps 5 through 7.

  8. Click [Apply].

To remove a Kerberos Administrator:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Kerberos Authorization link.

  4. Click the check box beside the Group Name in the dynamic list that you want to remove from HP SMH.

  5. Click [Remove].

  6. Click [Apply].

Kerberos Operator

To add a Kerberos Operator:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Kerberos Authorization link.

  4. In the Kerberos Configuration area, select the box beside Enable Kerberos Support.

  5. In the Group Name textbox, enter a name in the group@REALM format or REALM\groupname.

    Only alphanumeric and underline values are permitted. The use of special characters such as ~ ' ! # $ % ^ & * ( ) + = / " : ' < > ? , | ; are not permitted.

  6. Click the Operator radio button beside Type.

  7. Click [Add]. The values entered are added as a new line in the list table.

    You can continue to add groups with operator access by following steps 5 through 7.

  8. Click [Apply].

To remove a Kerberos Operator:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Kerberos Authorization link.

  4. Select the check box beside the Group Name in the dynamic list that you want to remove from HP SMH.

  5. Click [Remove].

  6. Click [Apply].

Kerberos User

To add a Kerberos User:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Kerberos Authorization link.

  4. In the Kerberos Configuration area, select the box beside Enable Kerberos Support.

  5. In the Group Name textbox, enter a name in the group@REALM format or REALM\groupname.

    Only alphanumeric and underline values are permitted. The use of special characters such as ~ ' ! # $ % ^ & * ( ) + = / " : ' < > ? , | ; are not permitted.

  6. Click the User radio button beside Type.

  7. Click [Add]. The values entered are added as a new line in the list table.

    You may continue to add groups with user access by following steps 5 through 7.

  8. Click [Apply].

To remove a Kerberos User:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Kerberos Authorization link.

  4. Select the check box beside the Group Name in the dynamic list that you want to remove from HP SMH.

  5. Click [Remove].

  6. Click [Apply].

Related Procedures

»   HP System Management Homepage Online Help - Anonymous/Local Access
»   HP System Management Homepage Online Help - IP Binding
»   HP System Management Homepage Online Help - IP Restricted Login
»   HP System Management Homepage Online Help - Local Server Certificate
»   HP System Management Homepage Online Help - Alternative Names Certificates
»   HP System Management Homepage Online Help - Port 2301 and Autostart (Linux only)
»   HP System Management Homepage Online Help - Timeouts
»   HP System Management Homepage Online Help - Trust Mode
»   HP System Management Homepage Online Help - Trusted Management Servers
»   HP System Management Homepage Online Help - User Groups

Related Topic

»   HP System Management Homepage Online Help - The Settings page