Configuring Active Directory; Installing The Spn And The Ktpass Utilities For Windows Server 2003 - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

Windows 7 with Internet Explorer 8. Be aware of the following issues:
Internet Explorer needs to have the Internet Options configured to trust the URL of the

Identity Server.
 The keytab file must be configured to trust more than DES encryption. If you created your
keytab file for an earlier version of Access Manager where only DES was supported, you
need to recreate the keytab file. For the new procedure, see
the Keytab File," on page
For more information on these issues, see
viewContent.do?externalId=7006036&sliceId=1).
 Active Directory must be configured to contain entries for both the users and their machines.
Active Directory must be running on Windows Server 2003 Enterprise SP2 or Windows Server
2008 SP2 or higher.
Active Directory and the Identity Server must be configured to use a Network Time Protocol

server. If time is not synchronized, authentication fails.
If a firewall separates the Active Directory Server from the Identity Server, the firewall needs

to open ports TCP 88 and UDP 88 so that the Identity Server can communicate with the KDC
on the Active Directory Server.
The Identity Server can communicate with only one KDC identified by IP address in the

configuration. This limitation is caused by the underlying Sun JGSS and limits the Identity
Server so that it can support only one Kerberos class with one Kerberos method.

5.2 Configuring Active Directory

You must create a new user in Active Directory for the Identity Server, set up this user account to be
a service principal, create a keytab file, and add the Identity Server to the Forward Lookup Zone.
These tasks are described in the following sections:
"Installing the spn and the ktpass Utilities for Windows Server 2003" on page 161

"Creating and Configuring the User Account for the Identity Server" on page 162

 "Configuring the Keytab File" on page 163
"Adding the Identity Server to the Forward Lookup Zone" on page 163

5.2.1 Installing the spn and the ktpass Utilities for Windows
Server 2003
When you install Windows Server 2003 and Active Directory, the spn and ktpass utilities are not
installed in a default installation. These utilities are installed in a default Windows Server 2008
installation.
You need the spn and ktpass utilities to configure the Identity Server for Kerberos authentication.
1 Insert the Windows 2003 CD into the CD drive.
2 To install the utilities, run
The utilities are installed in
163.
TID 7006036 (http://www.novell.com/support/
\SUPPORT\TOOLS\SUPTOOLS.MSI
C:\Program Files\Support Tools
Section 5.2.3, "Configuring
on the CD.
.
Configuring for Kerberos Authentication 161