Using a Keytab File for Kerberos Authentication

A System Administrator can create the Kerberos keytab files used to authenticate user accounts in the Vocera system.

When Kerberos authentication is enabled, you can upload a keytab file provided by a Windows administrator to authenticate clients from multiple realms to the HTTP service. The keytab files are generated on the user's Active Directory server.

A Vocera LDAP Adapter is required for Kerberos keytab generation. For information on the LDAP adapter configuration, refer to the Vocera Adapters documentation section in the Vocera Documentation Portal.

Before generating the keytab file for Kerberos authentication, the System Administrator must:
  • Obtain the domain name of the Vocera Platform cluster, and the name of a user account in Active Directory that represents the Vocera Platform.
  • Ensure that Kerberos is configured and working correctly on the user's network. This configuration requires a service or computer account for the host and an HTTP principal entry for that host, with a keytab file containing a token for the HTTP principal placed on the Vocera Platform.
  • Ensure that the computer's time is synchronized with the Active Directory server; Vocera recommends NTP setup for the Vocera Platform to ensure the time is synchronized. For instructions to Configure Microsoft Active Directory, refer to the RedHat website.
  • Ensure that the Windows user account does not have "Do not require Kerberos preauthorization" checked. In this example the box is checked; be sure to uncheck this checkbox.

To generate a keytab file:

  1. Issue the ktpass command to map the trusted host and generate the keytab file. The following parameters are used in the command. The principal and domain name case must match the case of the incoming request.
    Commands Description
    /out <FileName>

    Specifies the name of the Kerberos version 5 .keytab file to generate.

    This is the .keytab file that you upload in the Vocera Platform Web Console on the Vocera Platform.

    /princ <PrincipalName>

    Specifies the service principal name that is being mapped to, in the form 'host/computer.contoso.com@CONTOSO.COM'.

    This parameter is case sensitive.

    Example:

    HTTP/<FQDN of computer>@<domain name>
    /mapuser <UserAccount>

    Maps the name of the Kerberos principal user account being mapped to, which is specified by the princ parameter, to the specified domain account.

    Example:

    <domain>\<user> -crypto All -pass <pass goes here> -ptype KRB5_NT_PRINCIPAL

  2. On the Active Directory server, substituting the user's details in the placeholders, enter the following command line:
    ktpass -princ HTTP/<FQDN of computer>@<domain name> -mapuser <domain>\<user> -crypto All -pass <pass goes here> -ptype KRB5_NT_PRINCIPAL -out <filename>.keytab

  3. Store the resulting keytab file on the Vocera system for upload in Authentication Settings through the Vocera Platform Web Console.
  4. (Optional) Instead of creating and uploading a separate file for each user as described in step 2, you can add multiple users to an existing single keytab file. Enter the ktpass -princ command for each distinct '-mapuser' value that you need to upload in the keytab file.
    ktpass -princ HTTP/testserver@kerberos.jboss.org -mapuser KERBEROS1\testserver -pass * -in C:\testeserver.host.keytab -out C:\testeserver.host.keytab

See Configuring Authentication Settings for information on uploading the generated keytab file to the Vocera Platform.