Policy Server, SM Agent, and User should belong to same KDC server i.e. Server Account for policy server and SM Agent and Users Account must lie with KDC server.
As long as the above condition is true you can have the policy server anywhere in the infrastructure.
Key Points for Kerberos Authentication
SM Web Agent Account Delegation:
Configure SM Web Agent account on the KDC (usually Active Directory) for unconstrained trusted delegation using "Trust this user for delegation to any service (Kerberos only)" first. If it works, try to configure constrained delegation using "Trust this user for delegation to specified services only" and add the "smps" account/service to the list.
CA Single Sign-On Agent Configuration Object
ACO Option | ACO Value Format | Description |
HttpServicePrincipal | HTTP/www.example.com@EXAMPLE.COM | This option is used by the web agent when authenticating to the KDC. It is always in the form HTTP/web-server-name@kerberos-realm where web-server-name is the name of the web server (as used by the HTTP user agent), and kerberos-realm is the Kerberos realm. For example, there might be multiple web servers behind a load balancer virtual IP. In that case, you would specify the name of the load balancer rather than a specific server. |
KCCExt | .kcc | Extension for the CA SSO Kerberos credential collector, typically .kcc. |
SmpsServicePrincipal | smps@pserver.example.com | This option is used by the web agent when delegating authentication credentials to the policy server. It is always in the form smps@policy-server-name where policy-server-name is the name of the CA SSO policy server. As with the HttpServicePrincipal setting, this might be a name shared among multiple policy servers. |
CA Single Sign-On Kerberos Authentication Scheme
Authentication Scheme Option | Authentication Scheme Value Format | Description |
Principal Name | smps/pserver.example.com@EXAMPLE.COM | This option is used by the policy server when authenticating to the KDC. It is always in the form smps/policy-server-name@kerberos-realm where policy-server-name is the name of the CA SSO policy server and MUST match the value in the ACO's SmpsServicePrincipal option. |
Other Key Points
- We can’t use multiple Keytab and SM Policy server account on KDC server for Kerberos Authentication. i.e.we need to create a common account on KDC server for policy server.
- For Web Agent, we can have multiple KeyTab or AM Agent account on KDC server.
- We should fine-tune the Delegation. i.e. We need delegation only for SM Web Agent account (HTTP/***) and not for SM Policy server Account ( smps/****). Also, we should configure constraint-based delegation “Trust this user for delegation to specified services only - add smps” instead of on unconstrained delegation for “Trust this user for delegation to any service (Kerberos only)”
Reference:
- Kerberos Troubleshooting:
https://communities.ca.com/docs/DOC-231172118-kerberosauthenticationwithcasinglesignonreferenceconfigv2pdf
- Kerberos Troubleshooting
https://communities.ca.com/docs/DOC-231177811-kerberos-troubleshooting#jive_content_id_Listing_Keytabs_on_Windows_with_KTPASSEXE
Thanks & Regards,
-Sarvesh