In this post we will finally get into the configuration of Kerberos SSO for PeopleSoft. The reference environment is running on Windows 2012 R2, using a SQL Server database. The assumption is that the usernames in PeopleSoft are the same as the Windows usernames. This is typically done using LDAP authentication, and is documented in PeopleBooks. This series of blog posts will not cover LDAP configuration. However, it is not really necessary to use LDAP authentication for Kerberos to work. All that is required is that the User IDs in PeopleSoft are the same as the Active Directory.
I will configure the Interaction Hub environment on srv-ihmt-dev, and the domain is smartpeoplesoftadmin.com.
Create a domain account to be associated with the Service Principal Name (SPN) for the web server. One separate account per web server is required, as there is a one-to-one relationship with service account and SPN. However, the PeopleSoft web/app service does not need to run under this account.
On the domain controller create a new account:
Set the password to never expire.
A Kerberos keyfile is required for each web server for which SSO is configured. Do not create a keyfile for the application server if the web server and application server is on different machines. Run the following on the domain controller in an Administrator Console window (all on one line):
ktpass -princ HTTP/<server-A-record>.smartpeoplesoftadmin.com@SMARTPEOPLESOFTADMIN.COM -mapuser <domain-account>@SMARTPEOPLESOFTADMIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krb5.keytab
The –pass * will prompt for the password. Use the same password as used for the domain account.
E.g.: (srv-ihmt-dev with the ps_kerberos account)
ktpass -princ HTTP/srv-ihmt-dev.smartpeoplesoftadmin.com@SMARTPEOPLESOFTADMIN.COM -mapuser ps_kerberos@SMARTPEOPLESOFTADMIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krb5_srv-ihmt-dev.keytab
Copy the krb5.keytab to the PeopleSoft webserver E:\kerberos folder. (I’m using the E: drive as an example to make the rest of the configuration easier to understand)
Edit Domain Account
Reopen the domain account, and click the Account tab. The User logon name should now show the SPN:
Click the Delegation tab and set Trust this user for delegation to any service (Kerberos only)
Open a command prompt and verify that the correct SPN exists:
C:\>setspn -l ps_kerberos Registered ServicePrincipalNames for CN=ps_kerberos,OU=Peoplesoft Accounts,OU=Application Acconts,DC=smartpeoplesoft,DC=com: HTTP/srv-ihmt-dev.smartpeoplesoft.com
In the next post I will cover how to configure PeopleSoft web and app server.
2 thoughts on “PeopleSoft Kerberos Authentication (Desktop Single Signon) – Domain Account, SPN and Keyfile”
This is a great article covering from begin to end. We have implemented Kerberos in our PoC and found that when AES 256 crypto is set, the authentication doesn’t work at all. The same configuration works great with RC4, wondering if you have came across a scenario experiencing similar issue?
I would like to hear your experience.
Thanks for your feedback. I have not tried a different crypto setting. But we’re upgrading to PT 8.55 so maybe I’ll try that when I configure the new environment and report back here.