Configure Kerberos provider settings

You can configure the settings of a Kerberos provider to allow the DNS records to locate the Key Distribution Center (KDC), Kerberos realms, and the authentication servers associated with a Kerberos realm. These settings are global to all the users of Kerberos across all the nodes, services, and access zones. Some settings are applicable only to the client-side Kerberos that is relevant when joining a realm or when communicating with an Active Directory KDC. Typically, you do not need to change the settings after the initial configuration.

Procedure

  1. Click Access > Authentication Providers > Kerberos Settings.
  2. In the Default Realm field, specify the realm to use for the service principal name (SPN). The default realm is the first realm that you create.
  3. Select a check box to always send pre-authentication. This is a client-side Kerberos configuration setting.
    Selecting this check box enables the Kerberos ticket requests to include ENC_TIMESTAMP as the pre-authentication data even if the authentication server did not request it. This is useful when working with Active Directory servers.
  4. Select a check box to specify whether to use the DNS server records to locate the KDCs and other servers for a realm, if that information is not listed for the realm.
  5. Select a check box to specify whether to use the DNS text records to determine the Kerberos realm of a host.
  6. Click Save Changes.