Configure Active Directory

This section describes how to configure a Kerberos client principal and Kerberos service principal in Active Directory acting as the Key Distribution Center (KDC). The principals in the KDC are used when configuring the Kerberos principals in Policy Studio. For more details, see Configure Kerberos principals.

Configure a user account for the Kerberos client

Configure a user account for the Kerberos client principal. In this example, the client principal is DemoClient@AXWAY.COM.

  1. On the Windows Domain Controller, click Control panel > Administrative Tools > Active Directory User and Computers.
  2. Right-click Users, and select New > User.
  3. Enter a name (such as DemoClient) in the First Name and User Logon Name fields, ensure the Active Directory domain is set to your domain, and click Next.
  4. Enter the password, and do the following:
    • User must change password at next logon: Deselect this.
    • User cannot change password: Select this.
    • Password never expires: Select this.

    This ensures that a working API Gateway configuration does not stop working when a user chooses, or is prompted to change their password. API Gateway does not track these actions.

    If these options are not suitable in your implementation and a user password changes in Active Directory, you must then update the password or keytab of the Kerberos client or service related to the user in Policy Studio, and redeploy the configuration to API Gateway.
    If you cannot deselect User must change password at next logon, ensure the user changes the password and that the new password or keytab is deployed to API Gateway before API Gateway attempts to connect as this user.

  5. Tip   You can store Kerberos passwords in a KPS table to update a changed password in runtime. For more details, see Use KPS to store passwords for Kerberos authentication.
  6. Click Next > Finish.

Configure a user account for the Kerberos service

  1. Configure a user account for the Kerberos service as in Configure a user account for the Kerberos client. In this example, the name of the service is DemoService@AXWAY.COM.
  2. Map a Service Principal Name (SPN) to the user account. The Kerberos client uses the SPN to uniquely identify a service. To map the SPN, open a command prompt on the Windows Domain Controller, and enter the following command:
    > ktpass -princ HTTP/<host>@<Kerberos realm> -mapuser <user> -pass password -out <user>.keytab -crypto rc4-hmac-nt -kvno 0
  3. The SPN is of the format HTTP/<host>@<Kerberos realm>, where <host> is the name of the host running the Kerberos service, DemoService in this case:
    > ktpass -princ HTTP/DemoService.axway.com@AXWAY.COM -mapuser DemoService -pass Axway123 -out DemoService.keytab -crypto rc4-hmac-nt -kvno 0
  4. Substitute the example realm name with your own domain name. Note that the realm name is uppercase.

The command creates an SPN HTTP/DemoService.axway.com@AXWAY.COM, which is mapped to the DemoService user account. The command also creates a keytab file for the account that you can use later when configuring a Kerberos service for API Gateway in Policy Studio. See Configure a Kerberos service.

Tip   If you do not want to create a keytab file, you can use the following command:
> setspn -A HTTP/<host> <user>

Related Links