Strategy Library fully supports Kerberos authentication using Tomcat on Windows and Linux. Before following this KB article, the following prerequisites must have been completed:
- Make sure that the Strategy Intelligence Server is configured correctly to use Integrated Authentication as per the following technical note KB19110 (Intelligence Server on Linux) or KB19580 (Intelligence Server on Windows).
Note: The Strategy Product Manuals - System Administration Guide Volume 1 (PDF) - Chapter 3 IDENTIFYING USERS: AUTHENTICATION - Enabling single sign-on authentication - Enabling integrated authentication contains all the information necessary to implement integrated authentication in the context of Strategy. - Create a user principal for the Strategy Web Server service.
The following materials are assumed to be available:
- A keytab for the user that has the SPNs assigned. As a reference, you can follow KB440786:How to configure MicroStrategy Library for Integrated Authentication (Kerberos) using AES 256 encryption if AES 256 encryption is going to be used. AES 256 encryption would be the supported encryption type as per the later versions of JDK used, please be aware of https://community.strategy.com/article/KB485827-Kerberos-Login-Fails-After-Upgrading-to-MicroStrategy-2021-Update-8?language=en_US.
- Administrative access for the web server machine.
Step 1 - Create the krb5.conf file.
The krb5.conf or Kerberos configuration file, is a text file which controls the Kerberos configuration. It can be manually created anywhere in the system, although for ease of maintenance all configuration files should be created under the same folder.
By default, the contents of the krb5.conf are the following:
[logging]
default = C:\path\to\krb5libs.log
kdc = C:\path\to\krb5kdc.log
admin_server = C:\path\to\kadmind.log
[libdefaults]
default_realm = DOMAIN.REALM.COM
default_keytab_name = C:\path\to\default_keytab_name.keytab
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac
forwardable = true
no_addresses = true
[realms]
DOMAIN.REALM.COM = {
kdc = domain.realm.com:88
admin_server = domain.realm.com:749
}
[domain_realm]
.domain.realm.com = DOMAIN.REALM.COM
domain.realm.com = DOMAIN.REALM.COM
Explanations:DOMAIN.REALM.COM: This is the domain realm used for authentication purposes. A domain realm is commonly of the form:
example.com or realm.example.com.
Note: The capitalization of
DOMAIN.REALM.COM must match the capitalization used in the syntax for the
krb5.conf listed above. For example, if
DOMAIN.REALM.COM is in uppercase, include the domain realm in uppercase here.
kdc: This is the IP address of the Kerberos KDC or the Windows machine that hosts the Active Directory domain controller. This can be the same IP address as the admin_server.
admin_server: This is the IP address of the Windows machine that hosts the Active Directory domain controller admin server. This can be the same IP address as the kdc.
default_keytab_name: This is where the keytab file is located.
Step 2 - Configure the configOverride.properties file.
The file configOverride.properties is the main configuration file for Library, and is located in <Tomcat directory>/StrategyLibrary/WEB-INF/classes/config. Below is an example of a Kerberos configured properties file:
identityToken.secretKey=EcLJI2o6q8c3HuRiE3PK
iserver.default.hostname=MSTRLinux.techsupp.Strategy.com
iserver.default.port=34952
services.collaboration.baseURL=http://MSTRLinux.techsupp.Strategy.com:3000
services.collaboration.enabled=true
auth.modes.available=128
auth.modes.default=128
auth.kerberos.config=C:\\path\\to\\files\\krb5.conf
auth.kerberos.keytab=C:\\path\\to\\files\\test.keytab
auth.kerberos.principal=kerberosuser
auth.kerberos.isInitiator=true
auth.kerberos.debug=true
iserver.tlsEnabled = false
iserver.maxPoolSize = 100
session.searchWorkingSet = 3
iserver.initialPoolSize = 10
session.workingSet = 10
iserver.requestTimeout = 120000
auth.kerberos.config - This is the path to the krb5.conf file. For this path and the keytab file, the \ characters must be escaped by an additional \ character.
auth.kerberos.keytab - This is the path to the keytab file.
auth.kerberos.principal - This is the user principal name - note that some documentation might specify to put the Service Principal Name (SPN), the user logon name/user principal name (UPN).
auth.kerberos.isInitiator - This value should be set to true.
auth.kerberos.debug - This value can be set to false once Kerberos authentication is operational, but should be set to true while following this tech note.
Step 3 - Set the Library Authentication Mode to Integrated.
In the Library Admin page, Kerberos authentication is referred to as Integrated authentication.
