Setting up a client PC for Kerberos

For any computer to access (as a client) a station that supports Kerberos authentication, you must update a Kerberos configuration file (krb5) in the PC with the default realm and define which flags to set on acquired tickets. (Kerberos authentication requires the ability to acquire Kerberos tickets that can be forwarded.) In addition, you must update the Windows registry.

1. In Workbench, click Tools > Kerberos Configuration Tool.
2. In the Basic Krb5 Conf Editor view, click the Forwardable checkbox to set the property value to “true” and click the toolbar icon to save your change, as shown here.
   
   
   
   Note: If your Kerberos setup requires a more advanced krb5.conf configuration, you can manually configure the file using the Advanced Krb5 Conf Editor view, located under the View dropdown list, as shown here.
   
   

   Also, if you are working with Linux, some systems may require a more advanced krb5.conf file. If that is the case, have your Kerberos administrator set-up this file for you.

3. If your PC is running Windows XP SP2 or later, and you would like to access your native Kerberos ticket, you must set a registry key to allow Java to access the ticket.
   1. Before setting a registry key, back up your Windows registry.
   2. To set the key, start the registry editor (Start > Run... and enter regedit) and add or edit the following key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
      Kerberos\Parameters

      Value name: AllowTgtSessionKeyValue type: REG_DWORDValue: 0x01

      If configuring Windows XP, add or edit this key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos

      Value name: AllTgtSessionKeyValue type: REG_DWORDValue: 0x01
   
   
   

   Note: If necessary, you can return to the default Windows security setting by changing the value of this registry key to zero (0).