Automic have definitely improved the documentation, but I would not say it’s complete.
Setting up SSO for the Java User Interface is a bit of a hassle, particularly if you run the AE on multiple hosts. When we discovered how much trouble it was to get SSO working with the JUI, we decided that we would wait to enable SSO until we had migrated to the AWI. The JUI is being deprecated anyway, for better
and worse.
Automic’s documentation appears to have been written from the point of view of someone who is setting up a test system in an Active Directory domain on which he/she has full administrative privileges. To wit, the documentation assumes that the person creating the keytab will be
the same person as the person creating the SPN in the KDC. Many enterprise IT environments are not like this. At least in our environment, there is a clear separation of roles. I am able to run ktpass to create a keytab, but am not authorized to use the
/mapuser parameter to make changes in Active Directory. An AD administrator must do that.
Because of this separation of roles, it was a real challenge to make sure that the encrypted password in
the keytab matched the password in the KDC. Why? Because the encrypted password
that the KDC expects depends not only on the service user’s password, but also on the
salt, a value that is based on the
Kerberos realm and the UPN at the time the SPN was mapped to a UPN. At least in Active Directory’s KDC, there is a one-to-one relationship between SPNs and UPNs.
When you generate the keytab using
ktpass, you
must specify the correct salt using the
/rawsalt
parameter. Microsoft does not fully document how the salt is set, and I found no straightforward way of reading it out from the KDC. The only 100% reliable way I found to determine the correct salt is to run a packet trace of a kinit. I used WireShark to capture a packet trace while I ran kinit as the service user. In the trace I was able to see the salt I needed to use when running ktpass.
Automic should expand the documentation to describe this process. Better yet, Automic should document a reliable way of finding the salt that does not require running a packet trace. Automic should probably also expand the documentation to include instructions for non-Microsoft KDCs.