When a user wants
to authenticate to a service in a Kerberos realm, a series of steps must be taken to perform the authentication.
The client (the user’s machine) must obtain credentials from the Kerberos
servers, which are the Authentication Server
(AS) and the Ticket Granting
Server (TGS). The AS and the TGS reside
on the same machine and are referred to as the Key Distribution Center (KDC). Kerberos Authentication ProcedureThe following outlines the process when a user accesses
secure services in a Kerberos realm. The process only occurs when the user initially logs in
to a Kerberos realm and tries to
perform the first access to a Kerberos-secured service. The user logs in to the system (client) using
his or her domain username and password. The user’s password is hashed, and this hash becomes
the user’s secret key. When
the user tries to access a service, a message informs the AS that
the user wants to access that service. If the user is in the AS database, two messages are sent
back to the client: A Client/TGS session key is encrypted with the user’s secret key,
which is used in the communication with the TGS. A Ticket-Granting Ticket (TGT) is encrypted
with the secret key of the TGS. A ticket is used in Kerberos to prove
one’s identity. The TGT allows the client to obtain other tickets
for communication with network services.
Upon receiving these two messages,
the client decrypts the message containing the Client/TGS session
key.
The following process
occurs every time a user wants to authenticate to a service: When the user requests a service,
the client sends two messages to the TGS: A message composed of the TGT and
the requested service An authenticator, is made up of the client’s ID and the current timestamp
encrypted with the Client/TGS session key received before
Timestamps are used in Kerberos to avoid replication attacks. The
clock skew among machines cannot exceed a specific limit. The TGS decrypts the authenticator and sends
two new messages back to the client: The client-to-server ticket received from the TGS Another authenticator,
made up of the client’s ID and the current timestamp, encrypted with
the client/server session key
The service decrypts the client-to-server
ticket with its own secret key and sends the client a message with
the received timestamp plus one, confirming its true identity. This
message is encrypted with the client/server session key. The client decrypts the message and checks
the timestamp. If it is correct, requests may be issued to the service
and it sends responses back as expected.
HP SMH Kerberos
AuthenticationHP SMH provides Kerberos Single
Sign-On (SSO), allowing users in a Kerberos realm to log in
without entering a user name and password in the Sign In page. If an allowed user accesses HP SMH and has
valid Kerberos credentials, the Home page appears inside HP SMH. Kerberos authentication is
done using the special URL /proxy/Kerberos in HP SMH.
By accessing the URL, SMH looks for Kerberos credentials in the request and perform user authentication. If the user does not have valid Kerberos credentials or if an error occurs during the
authentication process, the Sign In page appears, showing an error message. For example, if the clock
skew among the machines involved in authentication is too large, you
receive an error message and are taken to the Sign In page. Kerberos authentication
does not work on the following local access situations: Accessing HP SMH from the machine where
the KDC (AD) is installed Accessing HP SMH from the machine where HP SMH is installed
When an authentication error occurs, the system
administrator should check the SMH HTTP server error log to obtain
more information about the error. For example, when the clock skew among the machines is too large, the following log message is written:
Thu Jun 25 16:55:09 2009] [error]
client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6] mod_spnego: Kerberos SSO (QueryContextAttributes) failed;
SSPI: The function requested is not supported\r\n(-2146893054).
The following levels of user authorizations are available: Administrator. Users with Administrator access can view all information provided
through HP SMH. The appropriate default user group, Administrators for Windows operating systems and root for
HP-UX and Linux, always has administrative access. Operator. Users with Operator access can view and set most information provided through HP SMH.
Some web applications limit access to the most critical information
to administrators only. User. Users with User access can view
most information provided through HP SMH. Some web applications restrict
viewing of critical information from individuals with User access.
To enable or disable Kerberos and add groups to the allowed Kerberos group list, complete the following steps for each level of access. Kerberos support
is provided on a per-user basis. Kerberos Administrator To add a Kerberos Administrator: Select Settings from the menu. In the System Management Homepage box, click the Security link. Click the Kerberos Authorization link. In the Kerberos Configuration area, select the box beside Enable Kerberos
Support. In the Group Name textbox, enter a name in the group@REALM format or REALM\group Only alphanumeric and underline values are permitted. The use of
special characters such as ~ ' ! # $ % ^ & * ( ) + = / " : ' <
> ? , | ; are not permitted. Click the Administrator radio
button beside Type. Click [Add]. The values
entered are added as a new line in the list table. You can continue to add groups with administrative access
by following steps 5 through 7. Click [Apply].
To remove a Kerberos Administrator: Select Settings from the menu. In the System Management Homepage box, click the Security link. Click the Kerberos Authorization link. Click the check box
beside the Group Name in the dynamic
list that you want to remove from HP SMH. Click [Remove]. Click [Apply].
Kerberos Operator To add a Kerberos Operator: Select Settings from the menu. In the System Management Homepage box, click the Security link. Click the Kerberos Authorization link. In the Kerberos Configuration area, select the box beside Enable Kerberos
Support. In the Group Name textbox, enter a name in the group@REALM format or REALM\groupname. Only alphanumeric and underline values are
permitted. The use of special characters such as ~ ' ! # $ % ^ &
* ( ) + = / " : ' < > ? , | ; are not permitted. Click the Operator radio button beside Type. Click [Add]. The values entered are added as a new line in the list table. You
can continue to add groups with operator access by following steps
5 through 7. Click [Apply].
To
remove a Kerberos Operator: Select Settings from the menu. In the System Management Homepage box, click the Security link. Click the Kerberos Authorization link. Select the check box beside the Group Name in the dynamic list that you want
to remove from HP SMH. Click [Remove]. Click [Apply].
Kerberos User To add a Kerberos User: Select Settings from the menu. In the System Management Homepage box, click the Security link. Click the Kerberos Authorization link. In the Kerberos Configuration area, select the box beside Enable Kerberos
Support. In the Group Name textbox, enter a name in the group@REALM format or REALM\groupname. Only alphanumeric and underline values are
permitted. The use of special characters such as ~ ' ! # $ % ^ &
* ( ) + = / " : ' < > ? , | ; are not permitted. Click the User radio button beside Type. Click [Add]. The values entered are added as a new line in the list table. You
may continue to add groups with user access by following steps 5 through
7. Click [Apply].
To remove a Kerberos User: Select Settings from
the menu. In the System Management Homepage box, click the Security link. Click the Kerberos
Authorization link. Select the check box beside the Group Name in the dynamic list that you want
to remove from HP SMH. Click [Remove]. Click [Apply].
Related Procedures Related Topic
|