AnsweredAssumed Answered

Do I need an AD account for every environment for Kerberos Authentication to AD?

Question asked by dbiggins on Feb 13, 2017
Latest reply on Mar 24, 2017 by keith.bailey@synapps-solutions.com

We are using Kerberos in our Alfresco 5.1.1 / Linux to AD authentication environment to assist in making the WebDav and AOS work better.  For instance, if we have a mapped drive, or use the sharepoint connectivity and we don't want to get prompted multiple times to authenticate when we are editing content, kerberos works great.  We are not using CIFS or the Share kerberos authentication at this point, so just 'AlfrescoHTTP' stuff.

 

Our different environments have different URLs, which means they have different principals, which means they would have different keytabs. 

 

Currently there is a single AD user, the 'alfrescohttp' user, but when I created the keytab file for the test environment, I had to list the principal in the 'princ'.  I thought that the creation of the keytab file with the ktpass command would _just_ generate a keytab file, but when I ran the command again mapping the production principal to the same AD user mapped in the test environment, the test kerberos environment immediately stopped authenticating, even though I hadn't moved the new 'production' keypass file anywhere.

 

Does that mean that for each environment (test/prod, etc...) I would need a different AD user? Would I be able to generate multiple keytab files all mapped to the same AD account?

Outcomes