Configuring Kerberos authentication
December 13, 2023
To use Kerberos authentication, make sure that a PTR entry is present in the DNS system in reverse lookup zones for the fully qualified domain name (FQDN) and URL (if the URL is different from the FQDN) of each cluster node.
If you are configuring authentication with a domain whose name contains the root domain
.local, you must complete the following steps to prepare the operating system for correct Kerberos authentication.
To configure Kerberos authentication:
- In the application web interface window, select the Settings → Application access → Single Sign-On login section.
- In the Kerberos authentication settings group, set the Use Kerberos toggle switch to Enabled.
- Click the Upload button to upload a previously created keytab file.
A keytab file must contain the SPN of the node with role Control and nodes with role Secondary.
The file selection window opens.
- Select the keytab file and click Open.
- Click Save.
If the SPN of the node with role Control or the SPN of any node with role Secondary is not found in the keytab file, the No SPN for Kerberos Single Sign-On status is displayed for this node in the Nodes section. If no SPN for any of the nodes is found in the keytab file, the Save button is not available.
Kerberos authentication will be configured. Users that complete authentication in Active Directory will be able to use Single Sign-On to connect to the application web interface. Access to application functionality will be determined by the rights of the application account.
When Kerberos authentication is disabled, the previously uploaded keytab file is deleted.