Pre-requisites

To allow participation of the CData Virtuality Server in Kerberos authentication, the following pre-requisites have to be met:

• On the side of the CData Virtuality Server:

  • The Server must be configured to run with a domain account.

    • This configuration is done in the services configuration in Windows;

    • Use serviceuser@realm (example: dvsvc01@KRBTEST.DV) notation in the services configuration interface. Windows will try to use a different notation if the account is picked via search. The notation needs to be changed manually to serviceuser@realm - otherwise, the account will not be found by Windows;

    • Avoid @ and % in the password for this account.

  • This account needs full access to the CData Virtuality folder.

  • The service name for CData Virtuality Server is DVServer.

    • Windows might show the name in all uppercase in the service details;

    • The real name can be verified in the registry key "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".

• On the side on Active Directory (or the Kerberos server your organization uses):

  • The Service Principal Name (SPN) is mapped to the CData Virtuality Server service account;

  • The ktpass command (used to create a keytab file) will automatically map/create the SPN. Other tools that can create a keytab file may not automatically create/map the SPN;

  • A keytab file has been created and is available:

    TEXT

    ktpass /princ DVServer/<dvserver host machine name - fqdn>@REALM /pass *** /ptype KRB5_NT_PRINCIPAL /crypto All /mapuser dvsvc01 /out <keytab file name>.keytab 
    ktpass /princ DVServer/<dvserver host machine name>@REALM /pass *** /ptype KRB5_NT_PRINCIPAL /crypto All /mapuser <service account name> /in <keytab file name> /out <keytab file name>

Please note that in many organizations, only Active Directory administrators can do this.