Configure a user account in Active Directory

This section describes how to configure a Kerberos client principal for API Gateway in Active Directory acting as the Key Distribution Centre (KDC).

  1. On the Windows Domain Controller, click Control panel > Administrative Tools > Active Directory User and Computers.
  2. Right-click Users, and select New > User.
  3. Enter a name for the user (such as ClientGateway) in the First Name and User Logon Name fields, ensure the Active Directory domain is set to your domain, and click Next.
  4. Enter the password, and do the following:
    • User must change password at next logon: Deselect this.
    • User cannot change password: Select this.
    • Password never expires: Select this.

    This ensures that a working API Gateway configuration does not stop working when a user chooses, or is prompted to change their password. API Gateway does not track these actions.

    If these options are not suitable in your implementation and a user password changes in Active Directory, you must then update the password or keytab of the Kerberos client or service related to the user in Policy Studio, and redeploy the configuration to API Gateway.
    If you cannot deselect User must change password at next logon, ensure the user changes the password and that the new password or keytab is deployed to API Gateway before API Gateway attempts to connect as this user.

    Tip   You can store Kerberos passwords in a KPS table to update a changed password in runtime. For more details, see Use KPS to store passwords for Kerberos authentication.
  5. Click Next > Finish.

As a Kerberos client, API Gateway authenticates to an existing back-end Kerberos service. For the authentication to succeed, the back-end Kerberos service must have an account and any SPNs configured in your Active Directory. For an example configuration, see Configure a user account in Active Directory.

For next steps, see Configure Kerberos principals.

Related Links