Deployment Guide

Setup Active Directory

For Stages to be able to validate the user’s Kerberos ticket it has to maintain a trust relationship with the Kerberos domain. This trust relationship is established by mapping the Stages service to an Active Directory user account and exporting the Kerberos key of that account to the Stages server. For each Stages server instance a separate trust account has to be created.

To set up the Active Directory, start the Active Directory Users and Groups from the administrative tools menu and open the context menu of the Users tree node. Select New User from the menu. Next, enter the server's hostname in the first name field. Then type a password and check the “Password never expires” selection. Click next and confirm the summary dialog window. Export Kerberos key of the new account to a 'Keytab' file. Finally, open a command window on the Active Directory server and execute the following command:

ktpass –princ HTTP/<fqdn>@<KERBEROS-REALM>
 -mapuser <trust-account-name>
 -pass <trust-account-password>
 -out <output-file>
 -crypto rc4-hmac-nt

Note: The KERBEROS-REALM needs to be specified in upper case. The whole principal must exactly match the principal specified in the jaas.conf.

Now you have to securely transfer the keytab file to the Stages server.

Enable delegation

After exporting the keytab file, delegation has to be enabled on the trust account. Be aware that this can only be done after exporting the Kerberos key! Windows will not display this option, unless you have exported the key first. Select your trust account with the right mouse button and choose “Properties” from the context menu, click on the “Delegation” tab and check “Trust this user for delegation to any service (Kerberos only)”.

To use a more secure encryption for the keytab file

Execute the ktpass command as above but with e.g. -crypto AES256-SHA1.
After exporting the keytab file, delegation has to be enabled as described above. Additionally Kerberos AES256 encryption has to be enabled for your trust account. Select your trust account with the right mouse button and choose “Properties” from the context menu, click on the “Account” tab and check “This account supports Kerberos AES 256 bit encryption”.