Manualshelf

Deployment Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption
21222324252627282930
Configuration Guide 25
6
Configure Components for Kerberos
Authentication/Authorization
This section explains how to configure components for use with Kerberos Authentication/Authorization.
Configure Components for Kerberos Authentication/Authorization
NOTE: If Kerberos Authentication/Authorization is to be used, then the server that contains the Key Server component will need to be part of
the affected domain.
Key Server is a Service that listens for clients to connect on a socket. Once a client connects, a secure connection is
negotiated, authenticated, and encrypted using Kerberos APIs (if a secure connection cannot be negotiated, the client is
disconnected).
The Key Server then checks with the Device Server to see if the user running the client is allowed to access keys. This
access is granted on the Remote Management Console via
individual
domains.
Windows Service Instructions
1
Navigate to the Windows Service panel (Start > Run... > services.msc > OK).
2
Right-click Dell Key Server and select
Properties
.
3
Go to the
Log On
tab and select the
This account:
option button.
4
In the
This account:
field, add the desired domain user. This domain user must have at least local admin rights to the
Key Server folder (must be able to write to the Key Server config file, as well as the ability to write to the log.txt file.).
5
Click
OK
.
6
Restart the Service (leave the Windows Service panel open for further operation).
7
Navigate to <Key Server install dir> log.txt to verify that the Service started properly.
Key Server Config File Instructions
1
Navigate to <Key Server install dir>.
2
Open Credant.KeyServer.exe.config with a text editor.
3
Go to <add key="user" value="superadmin" /> and change the "superadmin" value to the name of the appropriate user
(you may also leave as "superadmin").
The "superadmin" format can be any method that can authenticate to the Server. The SAM account name, UPN, or
domain\username is acceptable. Any method that can authenticate to the Server is acceptable because validation is
required for
that
user account for authorization against Active Directory.
For example, in a multi-domain environment, only entering a SAM account name such as "jdoe" will likely will fail
because the Server will not be able to authenticate "jdoe" because it cannot find "jdoe". In a multi-domain environment,
the UPN is recommended, although the domain\username format is acceptable.
In a single domain environment, the SAM account name is acceptable.