krb5.conf is a (text) configuration file for using Kerberos. It specifies items like the default realm to contact, or what flags should be set on tickets you acquire. In order to use Kerberos authentication with a NiagaraAX LDAP user service, you must be able to acquire forwardable Kerberos tickets.

To ensure this, you may need to edit your local krb5.conf file.

On a Windows host, you may find this file at:

c:\winnt\krb5.ini or else c:\windows\krb5.ini (note the different .ini extension)

Or on a Linux host, find this file at: /etc/krb5.conf

In any case, the “libdefaults” section in this file needs the following line:

forwardable=true

If this file does not have this section, add the following lines at the top of the file:

[libdefaults]

forwardable=true

Save this file after making any change.

The following applies to krb5.conf file changes:

If using a Windows PC running Windows XP SP2 or higher, and would like to access your native Kerberos ticket, you need to set a registry key to allow Java access to it.

It is recommended to backup your Windows registry before making any changes. For more information, search on “Backing Up Your Registry” for instructions specific to your Windows version.

To set this registry key, start the registry editor (Start->Run...regedit) and add/edit the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value name: AllowTgtSessionKey

Value type: REG_DWORD

Value: 0x01

If using Windows XP, you should add/edit the key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos

Value name: AllowTgtSessionKey

Value type: REG_DWORD

Value: 0x01

If ever necessary, you can return to the default Windows security settings by changing the value of this registry key to 0.