Follow the steps below to configure Kerberos Authentication for your Active Directory.
To get the full functionality offered by Kerberos Authentication, it is necessary to provide the credentials of a user that has 'write' access to Active Directory. This user is used to read users and delete computer entries from the directory.
Kerberos Authentication requires some specific configuration on the Active Directory server and Oracle VDI hosts prior to setting up the user directory in the Oracle VDI Manager.
Kerberos authentication must be enabled in Active Directory.
It should already be enabled as the default.
Ensure that each Active Directory forest has a global catalog server.
Configure a domain controller in each forest as a global catalog server.
Set the Forest Functional Level.
If the Domain Controller is running on Microsoft Windows Server 2008 R2, the Forest Functional Level must be set to Windows Server 2008 or Windows Server 2008 R2 (instead of the value used by default, Windows Server 2003). Refer to Microsoft documentation for more information about the Forest Functional Level.
Synchronize the time between the Oracle VDI hosts and Active Directory server.
Use Network Time Protocol (NTP) software or the rdate command to ensure the clocks on all hosts are synchronized.
For example, use ntpdate
my.windows.host
In a production environment, it is best to an NTP time server.
Edit the system default Kerberos configuration file on the Oracle VDI hosts.
The system default Kerberos configuration file is:
/etc/krb5/krb5.conf
on Oracle Solaris
OS platforms.
/etc/krb5.conf
on Oracle Linux
platforms.
The capitalization of the realm names in the Kerberos configuration file is very important so make sure you respect the capitalization as indicated in the example.
At a minimum, the Kerberos configuration file must contain the following sections:
[libdefaults]
- this sets defaults for
Kerberos authentication. You must set the
default_realm
.
[realms]
- this sets the KDCs for each
Kerberos realm. A realm can have more than one
kdc
, the port can omitted if the
default port 88 is used.
To allow end-users to update their password
(Section 7.2.6, “How to Change User Password”),
the details of the server that handles the password change
for each Kerberos realm must be specified. The
kpasswd_server
and
admin_server
entries identify the
Kerberos administration server that handles the password
change. If kpasswd_server
is omitted,
the admin_server
is used instead. The
port can be omitted if the default port 464 is used.
Format of a realm definition:
REALM_NAME
= { kdc =host:port
kdc =host:port
... kpasswd_server =host:port
admin_server =host:port
kpasswd_protocol = SET_CHANGE }
[domain_realm]
- this maps Active
Directory domains to Kerberos realms.
The following is an example Kerberos configuration file for a forest with a single domain:
[libdefaults] default_realm = MY.COMPANY.COM [realms] MY.COMPANY.COM = { kdc = my.windows.host admin_server = my.windows.host kpasswd_protocol = SET_CHANGE } [domain_realm] .my.company.com = MY.COMPANY.COM my.company.com = MY.COMPANY.COM
You can check that Kerberos and its name resolution
requirements are configured properly by using
getent
, nslookup
, and
kinit
For example:
# getent hosts <my.windows.host> must return the IP address and the hostname
# getent hosts <IP_of_my.windows.host> must return the IP address and the hostname
# nslookup -query=any _gc._tcp.<my.company.com> must resolve the domain
# kinit -V <super-user@MY.COMPANY.COM> must succeed
Restart the VDA Service.
# /opt/SUNWvda/sbin/vda-service restart
Configure the user directory in Oracle VDI Manager.
In the Oracle VDI Manager, go to Settings → Company.
In the Companies table, click New to activate the New Company wizard.
Select Active Directory Type, and click Next.
Select Kerberos Authentication.
Enter the domain for the Active Directory.
For example, my.company.com
.
Enter the user principal name of a user that has sufficient privileges to write into the Active Directory.
For example, super-user
or
super-user@my.company.com
.
Enter the password for that user.
Click Next to review your choices before completing the configuration.
For more information about Kerberos authentication:
krb5.conf(4)
man page -
http://download.oracle.com/docs/cd/E19253-01/816-5174/6mbb98ufn/index.html
Kerberos Service on Oracle Solaris - http://download.oracle.com/docs/cd/E19253-01/816-4557/seamtm-1/index.html
Kerberos on Oracle Linux - http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-kerberos.html
Oracle VDI supports the Whitelist and Blacklist feature for Kerberos authentication. The feature is an optional set of hostname lists that can be specified for a Company, giving more fine-grained control over which Active Directory servers are queried by Oracle VDI.
The directory whitelist is a list of comma-separated Active Directory global catalog servers that are always used for LDAP queries. The order of the servers in the White List is important. If Oracle VDI cannot contact the first server in the list, it tries the next one. The directory blacklist is a list of comma-separated Active Directory servers that are never used for LDAP queries. The blacklist settings override the whitelist settings.
This feature can be enabled in the CLI only.