PeopleSoft Kerberos Authentication (Desktop Single Signon) – Web and App Server Config

Overview

In this post I will describe how to configure the PeopleSoft web and application server for Kerberos authentication. I covered the configuration of the domain account, SPN and keyfile here.

Create krb5.conf and krb5Login.conf Files

Create a krb5.conf file and place it in the E:\kerberos folder on the web and application server. The file should be identical. (you can choose a different folder, just update the following instructions with our folder)

krb5.conf

[libdefaults]
default_realm = SMARTPEOPLESOFTADMIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
SMARTPEOPLESOFTADMIN.COM = {
    kdc = DC1.SMARTPEOPLESOFTADMIN.COM
    default_domain = SMARTPEOPLESOFTADMIN.COM
}

Update the default_realm, [realms], kdc and default_domain as necessary. Additional configuration details are on MIT’s website.

krblogin.conf

Create a krblogin.conf file and place it in the E:\kerberos folder on the web and application server. It must use the webserver SPN on both servers.

krbServer {
 com.sun.security.auth.module.Krb5LoginModule required
 storeKey=true
 useKeyTab=true
 keyTab="E:/kerberos/krb5.keytab"
 isInitiator=false
 principal="HTTP/srv-ihmt-dev.smartpeoplesoftadmin.com";
 };

Notice that he principal is the SPN that was configured when the keyfile was created.

Copy krb5.conf

Create a copy of E:\kerberos\krb5.conf, rename it to krb5.ini and place it in C:\Windows

Verify Keyfile

Copy the keyfile to E:\kerberos and rename it to krb5.keytab.
Verify that a valid key exists in the key file:
Open a DOS prompt and type:

kinit -k -t E:\kerberos\krb5.keytab HTTP/srv-ihmt-dev.smartpeoplesoftadmin.com@SMARTPEOPLESOFTADMIN.COM

The result should look like this:
New ticket is stored in cache file C:\Users\psoft_krbs\krb5cc_psoft_krbs

Clear the ticket:

klist purge

Modify setEnv.cmd

Edit the setEnv.cmd file in E:\<PS_APP_HOME>\webserv\<env>\bin
Locate the SET JAVA_OPTIONS_WIN line, and add:

-Djava.security.auth.login.config=E:\kerberos\krbLogin.conf -Djava.security.krb5.conf=E:\kerberos\krb5.conf -Djava.security.krb5.debug=true

The debug line is optional, but useful during troubleshooting.

Modify web.xml

Edit the web.xml file in E:\<PS_APP_HOME\webserv\<env>\applications\peoplesoft\PORTAL.war\WEB-INF
After the first occurrence of
<display-name>Portal</display-name>
Add the following: (Notice that validateToken is false as we rely on the App server to authenticate)

<filter>
    <filter-name>KerberosSSO</filter-name>
    <filter-class>com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter</filter-class>
<init-param>
     <param-name>checkSecureConnection</param-name>
     <param-value>true</param-value>
</init-param>
<init-param>
     <param-name>validateToken</param-name>
     <param-value>false</param-value>
</init-param>
<init-param>
      <param-name>verbose</param-name>
      <param-value>false</param-value>
</init-param> 
</filter>
<filter-mapping>
      <filter-name>KerberosSSO</filter-name>
      <url-pattern>*</url-pattern>
</filter-mapping>

Modify psappsrv.cfg

On the application server, edit the psappsrv.cfg file in E:\<PS_APP_HOME\appserv\<env>
Locate the line that starts with JavaVM Options= in the [PSTOOLS] section, in newer versions of PeopleTools this configuration line exists multiple times, so change the correct one.
Also, make sure this line is not commented out.

Add:

-Djava.security.auth.login.config=E:\kerberos\krbLogin.conf -Djava.security.krb5.conf=E:\kerberos\krb5.conf -Djava.security.krb5.debug=true

The debug line is optional, but useful during troubleshooting.
Make sure to use the same Kerberos configuration files and key file as on the web server.

Copy Class Files

Copy all files from E:\<PS_APP_HOME>\webserv\<env>\applications\peoplesoft\PORTAL.war\WEB-INF\classes\com\peoplesoft\pt\desktopsso\kerberos

To (Create this folder)
E:\<PS_APP_HOME>\class\com\peoplesoft\pt\desktopsso\kerberos
And to:
E:\<PS_HOME>\class\com\peoplesoft\pt\desktopsso\kerberos

Recreate the PIA Service

Stop the PIA service, then run the uninstallNTServicePIA.cmd (as Administrator) in E:\<PS_APP_HOME>\webserv\<env>\bin
Next, run installNTservicePIA.cmd (as Administrator)
Edit the service to use a domain account. If the PeopleSoft services normally run under a domain account continue to use that account, if PeopleSoft used to run under Local System, use the domain account created earlier (ps_kerberos).

pia-service1

In the next post I will cover the PeopleCode and security configuration required.

3 thoughts on “PeopleSoft Kerberos Authentication (Desktop Single Signon) – Web and App Server Config

    1. Hi Kiran,

      I’m not sure you can use the exact same steps for Linux O/S. However, you can look at my first post , where there are some links to other implementations that use Linux/UNIX. They may help.

      Jens

Leave a Reply to Jens Nielsen Cancel reply

Your email address will not be published. Required fields are marked *