Configure Active Directory

This section describes how to configure a Kerberos service principal for API Gateway in Active Directory acting as the Key Distribution Center (KDC).

  1. On the Windows Domain Controller, click Control panel > Administrative Tools > Active Directory User and Computers.
  2. Right-click Users, and select New > User.
  3. Enter a name for the Kerberos principal (such as IntermediaryGateway) in the First Name and User Logon Name fields, select your Active Directory domain from the drop-down menu (, and click Next.
  4. Enter the password, and do the following:
    • User must change password at next logon: Deselect this.
    • User cannot change password: Select this.
    • Password never expires: Select this.

    This ensures that a working API Gateway configuration does not stop working when a user chooses, or is prompted to change their password. API Gateway does not track these actions.

    If these options are not suitable in your implementation and a user password changes in Active Directory, you must then update the password or keytab of the Kerberos client or service related to the user in Policy Studio, and redeploy the configuration to API Gateway.
    If you cannot deselect User must change password at next logon, ensure the user changes the password and that the new password or keytab is deployed to API Gateway before API Gateway attempts to connect as this user.

  5. Tip   You can store Kerberos passwords in a KPS table to update a changed password in runtime. For more details, see Use KPS to store passwords for Kerberos authentication.
  6. Click Next > Finish.
  7. Map a Service Principal Name (SPN) to the user account. The Kerberos client uses the SPN to uniquely identify a service. To map the SPN, open a command prompt on the Windows Domain Controller, and enter the following command:
    > ktpass -princ HTTP/<host>@<Kerberos realm> -mapuser <user> -pass password -out <user>.keytab -crypto rc4-hmac-nt -kvno 0
  8. The SPN is of the format HTTP/<host>@<Kerberos realm>, where <host> is the name of the host running the Kerberos service, IntermediaryGateway in this case:
    > ktpass -princ HTTP/ -mapuser IntermediaryGateway -pass Axway123 -out IntermediaryGateway.keytab -crypto rc4-hmac-nt -kvno 0
  9. Replace the example Kerberos realm name with your own realm name. Note that the realm name is uppercase.
  10. The command creates an SPN HTTP/, which is mapped to the IntermediaryGateway user account. The command also creates a keytab file for the account that you can use later when configuring a Kerberos service for API Gateway in Policy Studio. See Configure API Gateway policy.

    Tip   If you do not want to create a keytab file, you can use the following command:
    > setspn -A HTTP/<host> <user>

    As a Kerberos service, API Gateway authenticates the client application using Kerberos authentication. For the authentication to succeed, the client application or end user must also have an account configured in your Active Directory. For an example configuration for the client account, see Configure a user account in Active Directory. You must also configure user accounts and Service Principal Names (SPN) for the back-end services you want API Gateway to request service tickets for.

  11. Right-click on the new user, and select Properties > Delegation. Then, select the Trust this user for delegation to any service (Kerberos only) option.
  12. This is required for the API Gateway to extract delegated credentials when using unconstrained delegation where the client is the browser.

For the next steps, see Configure Kerberos principals.

Related Links