Specifying Keytab for Kerberos SSO
If you are using the Kerberos SSO authentication domain (Windows SSO security policy), the Windchill RV&S server needs to be able to access secret key information in order to authenticate service tickets received from the client. The Windchill RV&S server can derive its secret key from a keytab file that is specified in the following properties in the security.properties file.
mks.security.SPN
mks.security.keyTabFile
mks.security.clientServiceName
mks.security.allowClientRegistryEdit
To support multiple domains, these properties must be repeated for each child domain, for example:
mks.security.SPN=integrityServer/parent
mks.security.keyTabFile=parent.keytab
mks.security.clientServiceName=parent
mks.security.SPN.1=integrityServer/child1
mks.security.keyTabFile.1=child1.keytab
mks.security.clientServiceName.1=child1
mks.security.SPN.2=integrityServer/child2
mks.security.keyTabFile.2=child2.keytab
mks.security.clientServiceName.2=child2
|
Only multiple domains within a single forest are supported. Multiple forests are not supported.
|
|
Do not supply the domain for mks.security.SPN. The domain is appended by the server during authentication. For example, mks.security.SPN=integrityServer/parent, not mks.security.SPN=integrityServer/parent.ABCDOMAIN.COM.
|
The root or main domain for the forest should be specified in the default settings. The children should be specified in the other settings, for example:
mks.security.SPN=integrityServer/parent
mks.security.keyTabFile=parent.keytab
mks.security.clientServiceName=parentISUser
mks.security.SPN.1=integrityServer/child1
mks.security.keyTabFile.1=child1.keytab
mks.security.clientServiceName.1=child1ISUser
mks.security.SPN.2=integrityServer/child2
mks.security.keyTabFile.2=child2.keytab
mks.security.clientServiceName.2=child2ISUser
Related Links