Initializing Kerberos authentication
Follow these steps to initialize Kerberos Authentication for your product.
Embedded Kerberos Authentication uses session tickets in the authentication process.
The session tickets are time stamped by both the Kerberos Domain Controller (KDC) and the
product. It is essential that the stamped times are within five minutes of each other. This can be
accomplished by setting identical time on both the KDC and product.
Open the HP EWS in a web browser.
Select the Settings tab, and then Kerberos Authentication.
Under the Accessing the Kerberos Authentication Server section, perform the following steps:
Type the domain name in the Kerberos Default Realm (Domain) field. The domain name is
case-sensitive and must use only uppercase letters, for example: TECHNICAL.MARKETING.
Type the product IP address in the Enter the Kerberos Server Hostname field, for
example: 22.214.171.124 (IP address)
The Kerberos Server Port field fills automatically as 88.
Under the Accessing the LDAP Server section, perform the following steps:
Select Kerberos from the LDAP Server Bind Method drop-down menu.
Click to select the Credential method you want to use.
If choosing Use Public Credentials, type in a username and password.
Remember how you set up the username on the LDP screen. The username
is defined within the device user DN value in the LDP trace and is not in standard
Windows domain account format. The format is often your entire e-mail address,
including the @xx.xx.
Chapter 4 Setting the digital sending options
Type the LDAP server in the LDAP Server field.
Type 389 in the Port field.
Under the Searching the LDAP Database section, perform the following steps:
Paste the Search Prefix into the Search Root field.
Type in the sAMAccountName into the Match the name entered with the LDAP attribute
Find the device user e-mail address in the LDP trace. Copy the attribute defining the e-mail
address, and paste it into the Retrieve the device user’s e-mail address using attribute
Some Kerberos environments require very specific attributes. For example, the attribute used
here is userPrincipalName instead of mail.
Find the device user name using the attribute of in the LDP trace. Copy the attribute defining
the name, and paste it into the and name using the attribute of field.
The Kerberos environment requires cn instead of displayName.
When you have finished these steps, continue with the steps in the next section,
Authentication Manager for Kerberos Authentication