iWay Service Manager Security Guide > Configuring Microsoft SQL Server JDBC Driver Version 6 with Kerberos > Configuring Kerberos for Windows

Configuring Kerberos for Windows

Topics:

How to:

The Windows machine must be located in the same domain where Kerberos is installed. The machine must have delegation enabled in the Domain Controller.

Modifying Windows Registry for Client Machines

You can modify the Windows registry to obtain a ticket, otherwise goes to the Local Security (LSA) 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

Setting Up Environmental Variables

To access Environmental Variables, right-click the Windows 10 Start menu, click Control Panel, select System, click Advanced system settings, and then click Environmental Variables.

You can set the following values as SYSTEM Variables: 

KRB5_CONFIG = path to krb.ini
KRB5_TRACE = /dev/stdout

You must shut down and then start your Windows machine after making this change. Do not restart your machine.

Configuring the Kerberos Client

Perform the following steps for easier connection confirmation during testing:

  1. Download and install the MIT Kerberos client for Windows from the MIT website:

    http://web.mit.edu/kerberos/dist/

  2. When installation is complete, reboot your system.

    A Kerberos icon will appear on your desktop after restarting your machine.

  3. Double-click the Kerberos icon to open Kerberos.

    If all server configurations are complete, a Kerberos ticket will be obtained and will appear in the dialog windows as userid@domain.suffix (user principal name format).

Procedure: How to Create a Keytab on Windows

The ktpass command is used to create a keytab from the Domain Controller only. To create a keytab:

  1. Create a folder in a non-Windows namespace area.
  2. Open a command shell and use the following syntax as a template:
    ktpass /princ myuser@REALM1.REALM2.COM /pass pass /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 1 /out out.keytab

    Note: The principal is the name of the user ID where the service principal name is mapped.

    where:

    myuser

    Is a real user name that you can use.

    REALM1

    Can be renamed to a real realm name and must only be one level or multiple levels deep.

    pass

    Is a real password that you can enter.

    /out

    The name of the keytab or name to use for the keytab. Do not use the /mapuser switch because it will overwrite the user principal name in the user account with what is entered after the switch. The principal name in the keytab must exactly match the real account credential name. If you skip this flag and ignore the warning, the Service Principal Name will carry the mapping between principal and user.

    [-/] crytpo

    Can be one of the following:

    • DES-CBC-CRC: for compatibility
    • DES-CBC-MD5: for compatibility
    • RC4-HMAC-NT: default 128-bit encryption
    • AES256-SHA1: AES256-CTS-HMAC-SHA1-96
    • AES128-SHA1: AES128-CTS-HMAC-SHA1-96
    • All: All supported types

    Note: AES-128 or AES-256 are recommended for highest security. Check with the Active Directory administrator for the highest level supported.

  3. Enter a real user name for myuser from the syntax above.

Downloading a Keytab to a Client Machine

You can map a drive using Windows Explorer and download the keytab to the windows client machine that will use the keytab. A keytab is not specific to a machine, but to a domain.