Users Guide

NOTE: If you are using Active Directory on Windows 2003, make sure that you have the latest

service packs and patches installed on the client system. If you are using Active Directory on

Windows 2008, make sure that you have installed SP1 along with the following hot fixes:

Windows6.0-KB951191-x86.msu for the KTPASS utility. Without this patch the utility generates

bad keytab files.

Windows6.0-KB957072-x86.msu for using GSS_API and SSL transactions during an LDAP bind.

• Kerberos Key Distribution Center (packaged with the Active Directory Server software).

• DHCP server (recommended).

• The DNS server reverse zone must have an entry for the Active Directory server and CMC.

Client Systems

• For only Smart Card login, the client system must have the Microsoft Visual C++ 2005 redistributable.

For more information see www.microsoft.com/downloads/details.aspx?FamilyID=

32BC1BEEA3F9-4C13-9C99-220B62A191EE&displaylang=en

• For Single Sign-On or smart card login, the client system must be a part of the Active Directory

domain and Kerberos Realm.

CMC

• CMC must have firmware version 2.10 or later.

• Each CMC must have an Active Directory account.

• CMC must be a part of the Active Directory domain and Kerberos Realm.

Prerequisites For Single Sign-On Or Smart Card Login

The pre-requisites to configure SSO or Smart Card logins are:

• Setup the kerberos realm and Key Distribution Center (KDC) for Active Directory (ksetup).

• A robust NTP and DNS infrastructure to avoid issues with clock drift and reverse lookup.

• Configure CMC with Active Directory standard schema role group with authorized members.

• For smart card, create Active Directory users for each CMC, configured to use Kerberos DES

encryption but not pre-authentication.

• Configure the browser for SSO or smart card login.

• Register the CMC users to the Key Distribution Center with Ktpass (this also outputs a key to upload to

CMC).