Using Kerberos with Intermapper

Kerberos

Kerberos is the most secure protocol supported by IMAuth. Rather than forwarding a user's name and password, IMAuth acts as a kerberized service. InterMapper Remote will obtain a Kerberos ticket (or use an existing one if the user already has one). It then sends a Kerberos service access request to IMAuth, which verifies that the ticket is valid and grants the user access.

However, if Kerberos is used, it will only apply to authentication attempts from InterMapper RemoteAccess. Authentication attempts from the web or telnet interfaces are unable to use Kerberos. If you need to authenticate from the web or telnet interfaces, you will need to select ActiveDirectory or IAS authentication instead.

Like any other kerberized service, IMAuth requires a service principal key on your Kerberos server. You will need to export this key in an MIT-Kerberos-compatible keytab file. This is done with the 'kadmin' utility in MIT Kerberos (or systems based on it, like Apple's OpenDirectory).

To create the keytab file, first create a user called 'imauth' in ActiveDirectory. Then, run ktpass.exe with these options:

ktpass.exe -princ imauth/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out imauth.keytab

Where hostname, NT-DNS-REALM-NAME, account and password are replaced by your AD server's host name and realm, and the username and password you created in step 1.
Information can be found at Microsoft.

Once you have created the service principal key and exported it, you can use the IMAuth web admin panel to upload the keytab file for IMAuth to use.

Keep in mind that, due to the way service principal keys are generated, each time you export the key it will change. So whenever you create a keytab using kadmin or ktpass, you must upload this new keytab to IMAuth. Otherwise the key in the KDC's database and the key IMAuth stores will be different.

As with any other kerberized application, authentication will fail unless the system clock on the machines running InterMapper RemoteAccess are synchronized to the time on your Kerberos KDC.