test

Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

ProcedureTo Configure Windows Active Directory and Domain Controller

  1. Log in as an administrator to the Windows 2000 or 2003 server host.

  2. From the Start menu, go to Administrative Tools > Manage Your Server.

    1. On the Manage Your Server wizard, choose Adding Roles to Your Sever.

    2. In the Server Role window, choose Domain Controller (Active Directory).

    3. Accept the default values by clicking Next.

    4. Continue to accept the default values and clicking Next until the Report DNS Issue window is displayed.

    5. This window is displayed when no properly configured DNS exists for Active Directory. Choose “Install and Configure DNS” to proceed to the next window.

    6. Continue to accept the default values and clicking Next until the Summary window is displayed, then click Next.

      The Active Directory Installation wizard is invoked.

  3. Install the Active Directory Domain Controller.

    For detailed instructions, see Install Active Directory Domain Services on the Windows Server 2008-Based Member Server

  4. Install Windows Support Tools.

    Windows Support Tools contains the ktpass Kerberos tool you need to map a service principal with an Active Directory account. For information about ktpass, see the Ktpass Overview. For detailed instructions on installing Windows Support Tools, see How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer.

  5. Create a new user account.

    1. From the Start menu, go to Programs > Administration Tools.

    2. Choose “Active Directory Users and Computers.”

    3. Enter a user name and password for the new user, and create the user.

    4. Verify that the Kerberos ticket is returned by the Kerberos Authentication Server properly.

      Log into the new domain account from any Windows XP workstation belonging to the domain. You can use the Windows Support Tools to verify that the Kerberos ticket is returned by the Kerberos Authentication Server and cached into the ticket cache. For information about Windows Support Tools, see Windows Support Tools.

  6. Create a user account to map to the Kerberos service.

    1. From the Start menu, go to Programs > Administration Tools.

    2. Choose “Active Directory Users and Computers.”

    3. Crete a new user with a name that is meaningful to you.

      In this example, the name is openSSOhost.

    4. Use the ktpass command to associate this user account with a service principal.

      Example:


      C:\Documents and Settings\Administrator>ktpass /pass password /mapuser openSSOhost
/princ HTTP/openSSOhost.identity.com@OPENSSOHOST.EXAMPLE.COM +DesOnly /ptype
KRB5_NT _PRINCIPAL /Target OPENSSOHOST.EXAMPLE.COM
Using legacy password setting method
Successfully mapped HTTP/openSSOhost.example.com to openSSOhost.
Key created.
Account openSSOhost has been set for DES-only encryption.

      If OpenSSO Enterprise is configured with Java version 1.5_ 08 or higher, you don't need to specify the +DesOnly parameter here.

    5. Export the keytab file and copy it to the system where OpenSSO Enterprise is installed.

      Example:


      C:\Documents and Settings\Administrator>ktpass /out demo1.HTTP.keytab /princ
HTTP/demo1.identity.com@DEMO.IDENTITY.COM /ptype KRB5_NT_PRINCIPAL /crypto
DES-CBC-CRC /Target DEMO.IDENTITY.COM
NOTE: creating a keytab but not mapping principal to any user.
For the account to work within a Windows domain, the
principal must be mapped to an account, either at the
domain level (with /mapuser) or locally (using ksetup)
If you intend to map HTTP/demo1.identity.com@DEMO.IDENTITY.COM
to an account through other means or don't need to map the user, 
this message can safely be ignored.
Key created.
Output keytab to demo1.HTTP.keytab:
Keytab version: 0x502
keysize 70 HTTP/demo1.identity.com@DEMO.IDENTITY.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8
(0xa1c4e6203e3b0d34)

      If OpenSSO Enterprise is configured with Java version 1.5 or higher, you don't need to specify the /crypto DES-CBC-CRC parameter here.

      You can test if this keytab file will work for OpenSSO Enterprise by using the Windows Support Tools, and specifying the /crypto DES-CBC-CRC parameter.