Prerequisites for Kerberos authentication in Windows

Before you can use Kerberos with IBM® Spectrum Symphony, your environment must meet certain prerequisites.

Windows support

Kerberos authentication in a Windows cluster is supported on Windows Server 2012 R2. For more information, see Windows support.

Environment requirements

To take advantage of Kerberos authentication in IBM Spectrum Symphony, all hosts in your cluster must use the same authentication mechanism. Your Kerberos environment must also be set up as follows:

All hosts in the cluster must be joined to an Active Directory (AD) domain.
All management hosts in the cluster must belong to the same AD domain. Client or compute hosts can be in a different domain than management hosts, but mutual trust must be set up between the domains.
IBM Spectrum Symphony must be installed and entitled on all your Windows hosts. When installing management hosts, the cluster administrator OS user account must be a domain user and a member of the local Administrators user group.
After installation, if the account name under which the LIM service runs is not the specified cluster administrator OS user (for example, when the management host is not installed with a shared directory), change LIM settings to use the cluster administrator OS user account:
1. Click Start > Run.
2. Search for services.msc to access services set up on the host.
3. Locate LIM, right-click the service, and click Properties.
4. Click the Log On tab.
5. Select This account and enter the cluster administrator OS user's credentials.
6. Click OK.
All hosts in the cluster must be able to resolve the management hosts’ IP to its FQDN. You can use the nslookup tool to check the host name. If you choose to register a service principal name, ensure that you use the FQDN of the host.
Management hosts in the cluster must be able to resolve their trusted domain with a NETBIOS domain name. You might need to configure the DNS suffix search list on the host to achieve this. One way to check if this works is to try a trusted domain’s NETBIOS name with the nslookup command:
- With the NETBIOS domain name, use the nslookup domain_name command; for example:
```
nslookup ad1
```
- With the DNS domain name, use the nslookup domain_name; for example:
```
nslookup ad1.test.com
```
If you add universal user groups, at least one active Global Catalog-located domain controller (DC) must exist in the group-located forest to serve retrieval requests for universal user group information.

Service Principal Name requirements

With Kerberos authentication in IBM Spectrum Symphony, you can authenticate a service by its service principal name (SPN), as configured in the KRB_SERVICENAME parameter. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

Before the Kerberos authentication service can use an SPN to authenticate a service, you must register the SPN for services on all management hosts under the service’s user account in the management host-located domain. The service's user account must be the cluster administrator OS user (for example, ad1\Administrator, where ad1 specifies the user's domain).

To register the SPN, use the Windows setspn tool; for example:

setspn -A symService/mghost1.ad1.example.com ad1\Administrator