User's Manual
Using the CMC With Microsoft Active Directory 237
Starting with CMC version 2.10, the CMC can use Kerberos to support two
additional types of login mechanisms—single sign-on and Smart Card login.
For single sign-on login, the CMC uses the client system’s credentials,
which are cached by the operating system after you log in using a valid
Active Directory
®
account.
NOTE: Selecting a login method does not set policy attributes with respect to other
login interfaces, for example, SSH. You must set other policy attributes for other
login interfaces as well. If you want to disable all other login interfaces, navigate to
the Services page and disable all (or some) login interfaces.
System Requirements
To use the Kerberos authentication, your network must include:
•DNS server
• Microsoft Active Directory
®
Server
NOTE: NOTE: If you are using Active Directory on Windows 2003, ensure that
you have the latest service packs and patched installed on the client system.
If you are using Active Directory on Windows 2008, ensure that you have
installed SP1 along with the following hot fixes:
Windows6.0-KB951191-x86.msu for the KTPASS utility. Without this patch the
utility generates bad keytab files.
Windows6.0-KB957072-x86.msu for using GSS_API and SSL transactions
during an LDAP bind.
• Kerberos Key Distribution Center (packaged with the Active Directory
Server software)
• DHCP server (recommended)
• The DNS server reverse zone must have an entry for the Active Directory
server and CMC
Client Systems
• For only Smart Card login, the client system must have the Microsoft
Visual C++ 2005 redistributable. For more information see
www.microsoft.com/downloads/details.aspx?FamilyID=
32BC1BEEA3F9-4C13-9C99-220B62A191EE&displaylang=en
• For Single Sign-On and Smart Card login, the client system must be a part
of the Active Directory domain and Kerberos Realm.