A System Administrator can create the Kerberos keytab files used to authenticate user
accounts in the Vocera system.
When Kerberos authentication is enabled, you can upload a keytab file provided by a
Windows administrator to authenticate clients from multiple realms to the HTTP service.
The keytab files are generated on the user's Active Directory server.
A
Vocera LDAP Adapter is required for Kerberos keytab
generation. For information on the LDAP adapter configuration, refer to the Vocera
Adapters documentation section in the Vocera Documentation Portal.
Before
generating the keytab file for Kerberos authentication, the System Administrator
must:
- Obtain the domain name of the Vocera Platform cluster, and the name of a user account in Active Directory that
represents the Vocera Platform.
- Ensure that Kerberos is configured and working correctly on the user's
network. This configuration requires a service or computer account for the
host and an HTTP principal entry for that host, with a keytab file
containing a token for the HTTP principal placed on the Vocera Platform.
- Ensure that the computer's time is synchronized with the Active Directory
server; Vocera recommends NTP setup for the Vocera Platform to ensure the time is synchronized. For instructions to Configure Microsoft Active
Directory, refer to the RedHat website.
- Ensure that the Windows user account does not have "Do not require Kerberos
preauthorization" checked. In this example the box is checked; be sure to
uncheck this checkbox.
To generate a keytab file:
See Configuring Authentication Settings for
information on uploading the generated keytab file to the Vocera Platform.