Configurations in the Active Directory

This guide will help you configure the Windows Active Directory elements needed for Kerberos Constrained Delegation authentication.

Create a Kerberos Service Account

1. Log in to your KDC server as an administrator.
2. From the Windows Start menu, select All Programs, select Administrative Tools > Active Directory Users and Computers.
3. In the newly opened console, expand the domain (Kerberos refers to a domain as a realm).
4. Right-click Users and select New > User.

   

   • Enter a Name and a User Logon Name for the Kerberos service account. The name must start with HTTP/. Use standard alphanumeric characters with no whitespace for the User Logon Name, as it is entered in a command prompt later in the guide. If HTTP/ automatically appears next to the User logon name (pre-Windows 2000) field, delete it from that field.
   • Ensure that the correct domain name is selected in the field next to the User Logon Name field. If the correct domain is not selected, choose the correct domain name from the drop-down list next to the User Logon Name field.
5. Click Next.

   

   • Password: Enter a password.
   • Password never expires: Ensure that User must change password at next logon is not selected. Typically, in the enterprise, the User cannot change password and Password Never Expires fields should be selected.
6. Click Next.
7. Click Finish.

Create a keytab for the Kerberos Service Account

When you create a keytab, the Sentry service account is concurrently mapped to the servicePrincipalName.

1. On the KDC server, open a command prompt window
2. At the prompt, type the following command: ktpass /out nameofsentry.keytab /mapuser nameofuser@domain /princ HTTP/nameofuser /pass password

E.g. ktpass /out timsentry.keytab /mapuser timsentry@glilabs2008.com /princ HTTP/timsentry@glilabs2008.com /pass 123456

This warning can be ignored.

Delegate HTTP service to the Acronis Access server

1. From the Windows Start menu, select All Programs and open Administrative Tools > Active Directory Users and Computers. 
2. In the newly opened console, expand the realm (domain).
3. Click on Users.
4. Find and select the Kerberos user account that you created in "Create a Kerberos Service Account".
5. Right-click on the account and select Properties.
   • Click on the Delegation tab.
   • Select Trust This User For Delegation To Specified Services Only.
   • Select Use Any Authentication Protocol.

   

6. Press Add….
7. Press Users or Computers….
   • Enter the computer name of the Acronis Access Gateway Server.
   • Click on Check Names.
   • The correct computer name should appear in the object name box.

   

8. Click OK.
9. Find and select the "http" service in the Add Services window.

   

10. Click OK.

    Note: For a large deployment with multiple Gateway Servers you should repeat steps 6 through 10 for each Gateway Server. However, for the initial setup, it's best to begin with a single Gateway Server hosting some local test folders. Once you have confirmed access to those, then you can expand to additional Gateway Servers and non-local folders.