Hp smh kerberos authentication – HP System Management Homepage-Software User Manual
Page 42
The process only occurs when the user initially logs in to a Kerberos realm and tries to perform the
first access to a Kerberos-secured service.
1.
The user logs in to the system (client) using his or her domain username and password.
2.
The user's password is hashed, and this hash becomes the user's secret key.
3.
When the user tries to access a service, a message informs the AS that the user wants to access
that service.
4.
If the user is in the AS database, two messages are sent back to the client:
a.
A Client/TGS session key is encrypted with the user's secret key, which is used in the
communication with the TGS.
b.
A Ticket-Granting Ticket (TGT) is encrypted with the secret key of the TGS. A ticket is used
in Kerberos to prove one's identity. The TGT allows the client to obtain other tickets for
communication with network services.
5.
Upon receiving these two messages, the client decrypts the message containing the Client/TGS
session key.
The following process occurs every time a user wants to authenticate to a service:
1.
When the user requests a service, the client sends two messages to the TGS:
•
A message composed of the TGT and the requested service
•
An authenticator, is made up of the client's ID and the current timestamp encrypted with
the Client/TGS session key received before
Timestamps are used in Kerberos to avoid replication attacks. The clock skew among machines
cannot exceed a specific limit.
2.
The TGS decrypts the authenticator and sends two new messages back to the client:
•
The client-to-server ticket received from the TGS
•
Another authenticator, made up of the client's ID and the current timestamp, encrypted
with the client/server session key
3.
The service decrypts the client-to-server ticket with its own secret key and sends the client a
message with the received timestamp plus one, confirming its true identity. This message is
encrypted with the client/server session key.
4.
The client decrypts the message and checks the timestamp. If it is correct, requests may be
issued to the service and it sends responses back as expected.
HP SMH Kerberos Authentication
HP SMH provides Kerberos
, allowing
in a Kerberos realm to log in
without entering a user name and password in the Sign In page. If an allowed user accesses HP
SMH and has valid Kerberos credentials, the Home page appears inside HP SMH.
Kerberos authentication is done using the special URL /proxy/Kerberos in HP SMH. By
accessing the URL, SMH looks for Kerberos credentials in the request and perform user
authentication.
If the user does not have valid Kerberos credentials or if an error occurs during the authentication
process, the Sign In page appears, showing an error message. For example, if the clock skew
among the machines involved in authentication is too large, you receive an error message and
are taken to the Sign In page.
Kerberos authentication does not work on the following local access situations:
•
Accessing HP SMH from the machine where the KDC (AD) is installed
•
Accessing HP SMH from the machine where HP SMH is installed
When an authentication error occurs, the system administrator should check the SMH HTTP server
error log to obtain more information about the error.
42
The Settings page