IBM Tivoli Federated Identity Manager, Version 6.2.1

Kerberos delegation module

The Kerberos delegation module is called KerberosDelegationSTSModule.

The module issues Kerberos credentials for a given user and service with a token type of:
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-
  profile-1.1#GSS_Kerberosv5_AP_REQ

The module supports issue and exchange modes. The module facilitates the issuing of Kerberos Constrained Delegation application service tickets, also known as Service for User To Proxy (S4U2Proxy).

This module is used primarily to allow Tivoli® Access Manager WebSEAL to support Kerberos junctions. The junctions are WebSEAL junctions to a Web server, such as IIS, that is configured for Integrated Windows® Authentication (SPNEGO).

Deployment scenarios for this module type
  • Custom trust chains
  • Web services security management
Supported modes
  • Issue
  • Exchange
Configuration properties (initialization)
Maximum size of the user credential cache
This value determines the number of impersonation handles and user credentials cached for performance reasons in the dynamically loaded library loaded by the module. Set this number to the approximate number of expected concurrent end users of the service for high-volume transactions. The higher the number, the more memory that might be consumed by the Tivoli Federated Identity Manager runtime application.

Default: 100

Configuration properties (issue mode)
Default target Service Principal Name
This is the default target Service Principal Name. It is used for WS-Trust clients that do not send the target Service Principal Name in the AppliesTo ServiceName element of the RST, and that do not have a mapping rule to configure the target Service Principal Name as an STSUniversalUser context attribute. This field is optional.
Options for adding a Tivoli Access Manager username for Kerberos authentication
The options allow you to specify whether the module will auto-append a suffix to the user name in the STSUniversalUser. The options are useful when deploying the Kerberos delegation module with a Tivoli Access Manager WebSEAL deployment. Options:
  • Do not add a suffix to the username.

    This option leaves the user name unmodified.

  • Add the machine DNS domain as a suffix to the username.

    This option auto-appends the DNS domain suffix for the Tivoli Federated Identity Manager runtime machine to the principal name in the STSUniversalUser before calling the Windows API to obtain a Kerberos ticket. The DNS domain is read from the Windows Registry Key:

    SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

    This option optimizes the module behavior for use in Tivoli Access Manager configurations using Kerberos junctions. The addition of the DNS domain enables the Windows API to successfully match the user name against the user record in the Active Directory user registry.

    Note that the module auto-appends the DNS domain name when the STSUniversalUser principal name does not already contain the @ character. This means that if a mapping rule was used to append a suffix containing the @ character to the user principal name, or if the Tivoli Access Manager username contains the @ character, this setting has no effect.

  • Add the configured suffix to the username

    This option is used to optimize the module behavior for use in Tivoli Access Manager configurations using Kerberos junctions.

    This option allows the administrator to manually specify the suffix. This option is for special cases where the userPrincipalName attribute for the user does not match the DNS domain name of the Windows machine running the Tivoli Federated Identity Manager Runtime. This option has no effect when the principal name already contains an @ character.

    The suffix to add if using a configured suffix
    For example:
    @mydomain.com
Parent topic: Supported module types

Feedback