Configuring Fusion for Kerberos in Windows

To configure the Fusion UI service to use Kerberos for user authentication, you must create a Kerberos security realm.

Kerberos is a system that provides authenticated access for users and services on a network. Instead of sending passwords in plaintext over the network, encrypted passwords are used to generate time-sensitive tickets that are used for authentication. SPNEGO provides a mechanism for extending Kerberos to Web applications through the standard HTTP protocol.

Kerberos uses symmetric-key cryptography and a trusted third party called a Key Distribution Center (KDC) to authenticate users to a suite of network services. (By users we mean both end users and client programs). The computers managed by that KDC and any secondary KDCs constitute a realm. When a user authenticates to the KDC, the KDC sends a set of credentials (a ticket) specific to that session back to the user’s machine. Kerberos-aware services use the ticket on the user’s machine for authentication instead of requiring sign-on with a password. Because tickets are used rather than passwords, this provides the convenience of Single Sign-On (SSO) in addition to security.

A Kerberized process is one that has been configured so it can get tickets from a KDC and negotiate with Kerberos-aware services. When a user sends an HTTP request, Fusion tries to authenticate using the Kerberos/SPNEGO protocol. If the request was sent from a browser, Fusion does not display the initial sign-on panel; instead on login, the user sees the main Fusion collections panel.

Important
This article focuses on configuring Fusion for Kerberos in Windows. To learn how to configure Fusion for Windows, see Configuring Fusion for Kerberos in Unix.

1. Set up and Configure the Active Directory Domain Service

1.1. Install the Active Directory Domain Service

To begin, follow Microsoft’s instructions on how to install Active Directory Domain Services.

This topic uses the following domain throughout this example:

NETBIOS Domain

FUSIONIS

Fully qualified domain name

fusionis.life

1.2. Create a New User

Launch the Server Manager. Navigate to Tools > Active Directory Users and Computers. Within the fusionis.life server, locate the "Users" folder, right-click on the folder and select New > User.

Important
When creating a user for this purpose, ensure the First name and Display name fields both hold the exact same value.

These instructions use the following user name throughout this example:

Distinguished name (DN)

CN = kerberos500

CN = Users

DC = fusionis

DC = life

User Principal Name (UPN)

kerberos500@fusionis.life

NETBIOS Domain\samAccountName

FUSIONIS\kerberos500

Establish the desired delegation rules for the new user in the "Delegation" tab.

Kerberos500 Delegation

1.3. Create a Keytab for the New User

Enter the following command into the command prompt to create a keytab for the user you just created:

ktpass -out c:\Users\Administrator\kerberos500.keytab -princ HTTP/fusionis.life@FUSIONIS.LIFE -mapUser FUSIONIS\kerberos500 -mapOp set -pass YOUR_PASSWORD -crypto ALL -pType KRB5_NT_PRINCIPAL -kvno 0

The output will be similar to:

C:\Users\Administrator>ktpass -out c:\Users\Administrator\kerberos500.keytab -princ HTTP/fusionis.life@FUSIONIS.LIFE -mapUser kerberos500 -mapOp set -pass FroFro123# -crypto ALL -pType KRB5_NT_PRINCIPAL
Targeting domain controller: WIN-OVV6VHBGIB8.fusionis.life
Using legacy password setting method
Successfully mapped HTTP/fusionis.life to kerberos500.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\Users\Administrator\kerberos500.keytab:
Keytab version: 0x502
keysize 71 HTTP/fusionis.life@FUSIONIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xcd07200bea625d20)
keysize 71 HTTP/fusionis.life@FUSIONIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xcd07200bea625d20)
keysize 79 HTTP/fusionis.life@FUSIONIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xe39a141de38abd8750bf9c0bf49fd1c5)
keysize 95 HTTP/fusionis.life@FUSIONIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xdd6018ab718a4c312038189a20498f70c07d09a19d77ceea31cdd4cd1b08800a)
keysize 79 HTTP/fusionis.life@FUSIONIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x9b610485eae2d97dcf0ecaf4ab38a32b)

This process will create the kerberos500.keytab file required to set up the Kerberos realm in Fusion. The command will also set the service principal to HTTP/fusionis.life@FUSIONIS.LIFE.

Important

If you see the following, the user was not created correctly:

DsCrackNames returned 0x2 in the name entry for kerberos500.
Ktpass:failed getting target domain for specified user.

Delete the user, and repeat the steps above.

2. Set up Kerberos on Fusion Server

If you haven’t done so already, install Fusion now.

Log in to Fusion using the native username, COMPUTERNAME\username or DOMAIN\username (if your computer is part of a Windows domain). Navigate to DevOps > Access Control > Security Realms. Select "Add Security Realm", and use the following parameters:

Type

Kerberos

Keytab file

c:\Users\Administrator\kerberos500.keytab

Service principal

HTTP/fusionis.life@FUSIONIS.LIFE

Save your new realm before continuing.

3. Verify Kerberos is Working

Verify with cURL

While logged in as a user within the domain, launch the command prompt, and run the cURL command below:

curl --negotiate -u : http://fusionis.life:8764/api/apollo/collections

Navigate your web browser to http://fusionis.life:8764. If you are automatically logged in, Kerberos is working.

Verify with Google Chrome

To verify Kerberos is working with Google Chrome, run Chrome with the following command parameters:

"c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --auth-server-whitelist="*fusionis.life" --auth-negotiate-delegate-whitelist="*fusionis.life" --auth-schemes="basic,digest,ntlm,negotiate"

Navigate your web browser to http://fusionis.life:8764. If you are automatically logged in, Kerberos is working.

Verify with Firefox

To verify Kerberos is working with Firefox, navigate to about:config in your browser’s URL bar. If a message appears stating "This might void your warranty!", click "I accept the risk!".

Search for the string network.negotiate-auth.trusted-uris, double-click the field, and enter fusionis.life into the field that appears. Click "Ok".

Navigate your web browser to http://fusionis.life:8764. If you are automatically logged in, Kerberos is working.