How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I specify multiple Kerberos servers in AM (All versions) for failover purposes?

Last updated Jun 21, 2021

The purpose of this article is to provide information on specifying multiple Kerberos™ Domain Controllers (DCs) in AM for failover purposes when configuring the Kerberos authentication node or the Windows Desktop SSO (WDSSO) authentication module.


2 readers recommend this article

Specifying multiple Kerberos DCs

If you have multiple Kerberos DCs configured for failover purposes, you can specify them when configuring the Kerberos node or the WDSSO module.

Note

If you have set up the Kerberos node or the WDSSO module with multiple Kerberos DCs and have used a keytab file from one of the trusted DCs, you should be aware that all users from the trusted domains can authenticate through the Kerberos node or WDSSO module. Configuring and managing Active Directory Domain Trusts is outside the scope of this article and ForgeRock Support.

Configuring the Kerberos node

You can configure multiple Kerberos DCs as follows:

  1. Navigate to: Realms > [Realm Name] > Authentication > Trees > [Tree Name] > Kerberos node > Kerberos Server Name and specify the server names using a colon as a separator, for example: primary_server:secondary_server:tertiary_server
  2. Click Save to update the tree.

Configuring the WDSSO module

You can configure multiple Kerberos DCs at the global level or realm level when you are using the WDSSO module.

Global level

You can configure multiple Kerberos DCs at the global level using either the console or ssoadm:

  • Console: navigate to: Configure > Authentication > Windows Desktop SSO > Kerberos Server Name and specify the server names using a colon as a separator, for example: primary_server:secondary_server:tertiary_server
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthWindowsDesktopSSOService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-windowsdesktopsso-kdc="[servers]"replacing [adminID], [passwordfile] and [servers] with appropriate values, where [servers] must be contained within " " and each server name is separated with a colon.

An example ssoadm command to add two Kerberos DCs at the global level looks like this:

  • AM 7 and later: $ ./ssoadm set-attr-defs -s iPlanetAMAuthWindowsDesktopSSOService -t organization -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a iplanet-am-auth-windowsdesktopsso-kdc="kdc.example.com:kdc2.example.com"
  • Pre-AM 7: $ ./ssoadm set-attr-defs -s iPlanetAMAuthWindowsDesktopSSOService -t organization -u amadmin -f pwd.txt -a iplanet-am-auth-windowsdesktopsso-kdc="kdc.example.com:kdc2.example.com"

Realm level

You can configure multiple Kerberos DCs at the realm level using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Authentication > Modules > [WDSSO Module] > Kerberos Server Name and specify the server names using a colon as a separator, for example: primary_server:secondary_server:tertiary_server
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthWindowsDesktopSSOService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-windowsdesktopsso-kdc="[servers]"replacing [realmname], [adminID], [passwordfile] and [servers] with appropriate values, where [servers] must be contained within " " and each server name is separated with a colon.

An example ssoadm command to add two Kerberos DCs at the realm level looks like this:

  • AM 7 and later: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthWindowsDesktopSSOService -e employees -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a iplanet-am-auth-windowsdesktopsso-kdc="kdc.example.com:kdc2.example.com"
  • Pre-AM 7: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthWindowsDesktopSSOService -e employees -u amadmin -f pwd.txt -a iplanet-am-auth-windowsdesktopsso-kdc="kdc.example.com:kdc2.example.com"

See Also

How do I set up Kerberos authentication in AM (All versions)?

OpenAM Windows Desktop SSO deep dive – part 1

Configuring and troubleshooting WDSSO in AM

Windows Desktop SSO Authentication Module

Kerberos Node

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.