Pre-requisites

You are looking at an older version of the documentation. The latest version is found here.

To allow participation of the Data Virtuality Server in Kerberos authentication, the following pre-requisites have to be met:

• On the side of the Data Virtuality Server:
  • The Server must be configured to run with a domain account.
    • This configuration is done in the services configuration in Windows.
    • Use serviceuser@realm (example: dvsvc01@KRBTEST.DV) notation in the services configuration interface. Windows will try to use a different notation if the account is picked via search. The notation needs to be changed manually to serviceuser@realm - otherwise, the account will not be found by Windows.
    • Avoid @ and % in the password for this account.
  • This account needs full access to the Data Virtuality folder.
  • The service name for Data Virtuality Server is DVServer.
    • Windows might show the name in all uppercase in the service details.
    • The real name can be verified in the registry key "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".

• On the side on Active Directory (or the Kerberos server your organization uses):
  • The Service Principal Name (SPN) is mapped to the Data Virtuality Server service account.
    
  • The ktpass The command (used to create a keytab file) will automatically map/create the SPN. Other tools that can create a keytab file may not automatically create/map the SPN.

  • A keytab file has been created and is available:

    TEXT

    ktpass /princ DVServer/<dvserver host machine name - fqdn>@REALM /pass *** /ptype KRB5_NT_PRINCIPAL /crypto All /mapuser dvsvc01 /out <keytab file name>.keytab 
    ktpass /princ DVServer/<dvserver host machine name>@REALM /pass *** /ptype KRB5_NT_PRINCIPAL /crypto All /mapuser <service account name> /in <keytab file name> /out <keytab file name>

Please note that in many organizations, only Active Directory administrators can do this.