Configure Kerberos authentication

To enable Kerberos user authentication, modify the IXIA TEXTML Server configuration.

Before you begin

  • TEXTML Servermust run on a recent version of Windows server with Active Directory for Kerberos authentication to work.
  • You must use Administrator privileges in an elevated command prompt to run the identified commands.

About this task

When enabled, Kerberos authentication occurs each time a user attempts to connect to a TEXTML Server instance.

For Kerberos authentication, you must create Service Principal Names (SPN) for the server in the Active Directory. The SPN is a unique identifier that must be created for each service that will use Kerberos authentication, so that clients can locate it over a network. The SPN is assigned to the account that is running TEXTML Server.

The SPN is the name that users will enter when they add a server to an administration console.

Note: Kerberos delegation must also be enabled on the computer or user account.

The account that you assign to SPN depends on your configuration.

  • If the TEXTML Server service runs under the default "Local Service" or "System" account, assign the SPN to the NetBIOS name of the machine, such as machinename@acme.local.

    Note that the TEXTML Server service should not run as the Local Service if any one of the following conditions applies:

    • TEXTML Server is installed in a Windows cluster
    • There are multiple Active Directory Forests in the network
    • An Active Directory Forest includes many domains
  • If the TEXTML Server service is running as another user, assign SPN to username, such as myusername@acme.local, which must be unique in the Active Directory.
  • If the TEXTML Server service is running in a cluster, assign the SPN to the username, such as myusername@acme.local, and not the machine name, so that it can still be reached in case of a cluster failover.

For more information about Kerberos, see http://msdn.microsoft.com/en-us/library/ms178119(v=sql.105).aspx.

To enable Kerberos authentication:

Procedure

  1. On the Kerberos server, run the following command to create an SPN for the TEXTML Server service. 
    setspn -A TextmlServer/<MACHINE-NAME>:<port-number> <account>

    where:

    Option

    Description

    Example

    <MACHINE-NAME>

    is the NetBIOS name of the machine, in uppercase

    WRITIX

    <port-number>

    is the port number on which TEXTML Server listens

    2500

    <account>

    is one of the following:
    If the TEXTML Server service runs under the default "Local Service" or "System" account, enter the NetBIOS name of the machine

    writix
    If TEXTML Server is running as another user, enter the username

    myusername@acme.local
    If the TEXTML Server service is running in a cluster, assign the SPN to the username

    myusername@acme.local
    For example, if TEXTML Server is running on machine WRITIX, enter the following commands:
    If TEXTML Server service runs as Enter:
    Local service 
    setspn -A TextmlServer/WRITIX:2500 writix
    another user 
    setspn -A TextmlServer/WRITIX:2500 textmlserveruser@acme.local
    in a cluster 
    setspn -A TextmlServer/WRITIX:2500 textmlserveruser@acme.local
    A message similar to the following is displayed:
    Registering ServicePrincipalNames for CN=WRITIX,CN=Computers,DC=acme,DC=local
        TextmlServer/WRITIX:2500
Updated object
  2. Run the command again, this time providing the fully qualified domain name (FQDN) for the TEXTML Server machine. 
    setspn -A TextmlServer/<MACHINE-NAME>.<FQDN>:<port-number> <account>
    Note: When you run the command again, it proves that you can reach the TEXTML Server machine, regardless of access method.
    If TEXTML Server service runs as Enter:
    Local service 
    setspn -A TextmlServer/WRITIX.example.local:2500 writix
    another user 
    setspn -A TextmlServer/WRITIX.example.local:2500 textmlserveruser@acme.local
    in a cluster 
    setspn -A TextmlServer/WRITIX.example.local:2500 textmlserveruser@acme.local
  3. Repeat steps 1 and 2 if the TEXTML Server machine can also be reached through an alias, such as the DOCXML-SERVER alias. 
    setspn -A TextmlServer/DOCXML-SERVER:2500 writix
setspn -A TextmlServer/DOCXML-SERVER.example.local:2500 writix
  4. To confirm that you correctly created your SPNs, enter: 
    setspn -L <account>

    where:

    <account> is the SPN account and location, such as writix@acme.local

    A message similar to the following is displayed, listing the existing SPNs defined for the account:

    Registered ServicePrincipalNames for CN=WRITIX,OU=Peoples,OU=Company,DC=acme,DC=local:       
        TextmlServer/WRITIX.acme.local:2500       
        TextmlServer/WRITIX:2500
        TextmlServer/DOCXML-SERVER.acme.local:2500       
        TextmlServer/DOCXML-SERVER:2500
  5. To confirm that there are no duplicate SPNs defined for the TEXTML Server machine, enter: 
    setspn -D TextmlServer/<MACHINE-NAME>:<port-number> <machine-account>
    Note: If you receive a notification of duplicates, see Remove a duplicate SPN.
  6. To enable Kerberos delegation:
    If TEXTML Server service runs as: Enable Kerberos delegation as follows:
    Local service
    1. Open Active Directory Users and Computer.
    2. Find the computer account.
    3. Open the Properties dialog for the computer account.
    4. Click the Delegation tab.
    5. Select Trust this computer for delegation to any service (Kerberos only).
    6. Click OK.
    Another user or cluster
    1. Open Active Directory Users and Computer.
    2. Find the user account.
    3. Open the Properties dialog for the user account.
    4. Click the Account tab.
    5. In the Account options area, make sure that the Account is sensitive and cannot be delegated is *not* enabled. If it is selected, unselect it.
    6. Click OK.
  7. On your TEXTML Server instance, go to the TextmlServerCfg.xml file:

    %ProgramData%\IxiaSoft\TextmlServer4.4

  8. Open the file, using a text editor such as Notepad.
  9. Set the <AuthenticateUsers> element value to True.
  10. Set the <AuthenticateUsingKerberos> element value to True.
  11. In the <Security> element, set the <ServerAdmin> and <ServerUser> elements to the names of the groups that contain all your users.
    For example:
     <ServerAdmin>
   <value NAME="Everyone"/>
</ServerAdmin>
<ServerUser>
   <value NAME="Everyone"/>
</ServerUser>
  12. Save and close the file.

What to do next

You must now configure who can access TEXTML Server. This is achieved by configuring TEXTML Server security through roles and permissions. See the Administration Guide for IXIA CCMS for more information.