Overview

Kerberos SSO requires that a service account is configured in Active Directory. It is important that this service account is correctly created and configured .

This article explains what a service account is, and show how Polar SSO helps you create and configure an account.

Service accounts

A Kerberos service account is just a regular Active Directory user account, but with few extra properties added:

  • The password of the account is used as a key when encrypting service tickets. Service tickets are decrypted with the same key when Polar SSO verifies users.
  • The password of a service account should never change. If it does, the key effective key changes and Polar SSO will no longer be able to decrypt and verify service tickets.
  • Clients request service tickets using a 'service principal name' (such as 'HTTP/jira.example.com)'. This name must be mapped as an attribute on the service account.

Service accounts should only be used the purpose of backing a single Kerberos Service. To avoid conflicts, do not reuse an existing account, but create a new account just for this purpose.

The following illustration shows how a service ticket is requested, issued and validated in a Kerberos authentication ceremony:

Configuring a service account

Polar SSO offers a few convenient ways setting up a Kerberos service account.

These methods are designed to hide most of the complexities of setting up a service account, and to automate the process as much as possible.

Connect to Active Directory

This method uses secure LDAP connection to create and configure the service account directory in Active Directory. Use this method when:

  • You have direct and secure access to Active Directory via configured User Directory.
  • You can provide a valid an Active Directory domain admin username and password.

This method requires no external tooling and there is no need to remote desktop into Active Directory. Service account setup to be performed entirely in Polar SSO's admin pages.  This method is only available when Polar SSO can establish a secure LDAP channel (using TLS or Kerberos)

Connect to Active Directory

Run a PowerShell setup script

This method generates a PowerShell script which is then executed on an Active Directory Domain Controller by a domain administrator. Use this method when:

  • The 'Connect to Active Directory' method described above is not available. 
  • You can share the PowerShell script with a domain admin who can run it for you.

Run a PowerShell setup script

Use ktpass to issue a keytab file

This method generates a ktpass command line which is then executed by an Active Directory domain administrator. Use this method when:

  • The 'Connect to Active Directory' or 'Run a PowerShell script' methods are not available.
  • You can share the ktpass command with an Active Directory domain admin who can run it for you.

Use ktpass to issue a keytab file

Next steps