PeopleSoft Kerberos Authentication (Desktop Single Signon) – Domain Account, SPN and Keyfile

Overview

In this post we will finally get into the configuration of Kerberos SSO for PeopleSoft. The reference environment is running on Windows 2012 R2, using a SQL Server database. The assumption is that the usernames in PeopleSoft are the same as the Windows usernames. This is typically done using LDAP authentication, and is documented in PeopleBooks. This series of blog posts will not cover LDAP configuration. However, it is not really necessary to use LDAP authentication for Kerberos to work. All that is required is that the User IDs in PeopleSoft are the same as the Active Directory.

I will configure the Interaction Hub environment on srv-ihmt-dev, and the domain is smartpeoplesoftadmin.com.

Domain Account

Create a domain account to be associated with the Service Principal Name (SPN) for the web server. One separate account per web server is required, as there is a one-to-one relationship with service account and SPN. However, the PeopleSoft web/app service does not need to run under this account.

On the domain controller create a new account:
Set the password to never expire.

ps_kerberos1

Create Keyfile

A Kerberos keyfile is required for each web server for which SSO is configured. Do not create a keyfile for the application server if the web server and application server is on different machines. Run the following on the domain controller in an Administrator Console window (all on one line):

ktpass -princ HTTP/<server-A-record>.smartpeoplesoftadmin.com@SMARTPEOPLESOFTADMIN.COM 
-mapuser <domain-account>@SMARTPEOPLESOFTADMIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL 
-pass * -out c:\krb5.keytab

The –pass * will prompt for the password. Use the same password as used for the domain account.

E.g.: (srv-ihmt-dev with the ps_kerberos account)

ktpass -princ HTTP/srv-ihmt-dev.smartpeoplesoftadmin.com@SMARTPEOPLESOFTADMIN.COM
-mapuser ps_kerberos@SMARTPEOPLESOFTADMIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL 
-pass * -out c:\krb5_srv-ihmt-dev.keytab

Copy the krb5.keytab to the PeopleSoft webserver E:\kerberos folder. (I’m using the E: drive as an example to make the rest of the configuration easier to understand)

Edit Domain Account

Reopen the domain account, and click the Account tab. The User logon name should now show the SPN:

ps_kerberos_2

Click the Delegation tab and set Trust this user for delegation to any service (Kerberos only)

ps_kerberos3

Open a command prompt and verify that the correct SPN exists:

C:\>setspn -l ps_kerberos
Registered ServicePrincipalNames for CN=ps_kerberos,OU=Peoplesoft Accounts,OU=Application Acconts,DC=smartpeoplesoft,DC=com:
        HTTP/srv-ihmt-dev.smartpeoplesoft.com

In the next post I will cover how to configure PeopleSoft web and app server.

2 thoughts on “PeopleSoft Kerberos Authentication (Desktop Single Signon) – Domain Account, SPN and Keyfile

  1. Hi,

    This is a great article covering from begin to end. We have implemented Kerberos in our PoC and found that when AES 256 crypto is set, the authentication doesn’t work at all. The same configuration works great with RC4, wondering if you have came across a scenario experiencing similar issue?

    I would like to hear your experience.

    Thanks
    Raj

    Reply

    1. Hi Ray,
      Thanks for your feedback. I have not tried a different crypto setting. But we’re upgrading to PT 8.55 so maybe I’ll try that when I configure the new environment and report back here.

      Jens

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *