In configuring Tridium’s own test setup for using Kerberos authentication with the AX-3.8 LDAP driver, the IT manager recorded these notes after following information in the referenced MSDN article (Setting up a record in Active Directory for Kerberos Authentication).
Assigned a DHCP reservation to the Niagara host running the service. (Static IP would also work).
Created a DNS A record in tridium.net domain for this host (kerbtest2).
Created user account on tridium.net Active Directory (kerbtest2), and selected “Account is trusted for delegation” in the “Account Options” panel.
Created SPN:
setspn -A host/kerbtest2.tridium.net kerbtest2
setspn -A HTTP/kerbtest2.tridium.net kerbtest2
Created keytab files to be used on device running the service:
ktpass -princ HTTP/kerbtest2.tridium.net@TRIDIUM.NET -pass password -mapuser kerbtest2 -out c:\temp\kerbtest2.http.keytab
ktpass -princ host/kerbtest2.tridium.net@TRIDIUM.NET -pass password -mapuser kerbtest2 -out c:\temp\kerbtest2.http.keytab
The ktpass command created the files, but also generated this warning:
“WARNING: pType and account do not match. This might cause problems.”
However, the files worked, so we disregarded the warning.
Copyright © 2000-2014 Tridium Inc. All rights reserved.