Hp smh kerberos authentication – HP Systems Insight Manager User Manual
Page 45
1.
The user logs in to the system (client) using his or her domain username and password.
2.
The user’s password is hashed, and this hash becomes the user’s secret key.
3.
When the user tries to access a service, a message informs the AS that the user wants to access that
service.
4.
If the user is in the AS database, two messages are sent back to the client:
a.
A Client/TGS session key is encrypted with the user’s secret key, which is used in the communication
with the TGS.
b.
A Ticket-Granting Ticket (TGT) is encrypted with the secret key of the TGS. A ticket is used in
Kerberos to prove one’s identity. The TGT allows the client to obtain other tickets for communication
with network services.
5.
Upon receiving these two messages, the client decrypts the message containing the Client/TGS session
key.
The following process occurs every time a user wants to authenticate to a service:
1.
When the user requests a service, the client sends two messages to the TGS:
•
A message composed of the TGT and the requested service
•
An authenticator, is made up of the client’s ID and the current timestamp encrypted with the
Client/TGS session key received before
Timestamps are used in Kerberos to avoid replication attacks. The clock skew among machines cannot
exceed a specific limit.
2.
The TGS decrypts the authenticator and sends two new messages back to the client:
•
The client-to-server ticket received from the TGS
•
Another authenticator, made up of the client’s ID and the current timestamp, encrypted with the
client/server session key
3.
The service decrypts the client-to-server ticket with its own secret key and sends the client a message
with the received timestamp plus one, confirming its true identity. This message is encrypted with the
client/server session key.
4.
The client decrypts the message and checks the timestamp. If it is correct, requests may be issued to the
service and it sends responses back as expected.
HP SMH Kerberos Authentication
HP SMH provides Kerberos
, allowing
in a Kerberos realm to log in without
entering a user name and password in the Sign In page. If an allowed user accesses HP SMH and has valid
Kerberos credentials, the Home page appears inside HP SMH.
Kerberos authentication is done using the special URL /proxy/Kerberos in HP SMH. By accessing the
URL, SMH looks for Kerberos credentials in the request and perform user authentication.
If the user does not have valid Kerberos credentials or if an error occurs during the authentication process,
the Sign In page appears, showing an error message. For example, if the clock skew among the machines
involved in authentication is too large, you receive an error message and are taken to the Sign In page.
Kerberos authentication does not work on the following local access situations:
•
Accessing HP SMH from the machine where the KDC (AD) is installed
•
Accessing HP SMH from the machine where HP SMH is installed
When an authentication error occurs, the system administrator should check the SMH HTTP server error log
to obtain more information about the error.
For example, when the clock skew among the machines is too large, the following log message is written:
Thu Jun 25 16:55:09 2009] [error] client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6]
mod_spnego: Kerberos SSO (QueryContextAttributes) failed; SSPI: The function
requested is not supported\r\n(-2146893054)
.
System Management Homepage Box
45