The CommuniGate Pro Server supports the Kerberos authentication method. The Kerberos method is based on the "tickets" that client applications send to the server. These tickets are issued by Kerberos authorities (Key Distribution Centers, KDC) that share a common "key" with the Server. See the Kerberos documentation for the details.
To support Kerberos Authentication, you need to add Kerberos Server key(s) to the CommuniGate Pro Server, on the per-domain basis. Create a server "principal" in your KDC database. The principal name should be equal to the name of CommuniGate Pro Domain or one of its Domain Aliases. Export the created key as a keytab file.
Open the Domain Settings using the CommuniGate Pro WebAdmin Interface, and follow the Security and Kerberos links. The list of Domain Kerberos Keys will be displayed:
Each Domain can have several Kerberos Keys. To add Keys, click the browser file-select button and select the keytab file exported from KDC. Click the Import Keys button to add keys from the file to the set of the Domain Kerberos Keys.
To remove Keys, mark the Keys using checkboxes and click the Delete Marked button.
Domain Administrators can Add or Remove Kerberos Keys only if they have the KerberosKeys Access Right.
When the Server receives a Kerberos Ticket, it extracts the Server Name ("sname") from the Ticket. If the Server Name has only 1 component (domain.dom), this component is used as the target Domain name (ticket-domain-name). If the Server Name has 2 or more components (service/domain.dom), then the second component is used. The Server then builds a fictitious E-mail address LoginPage@ticket-domain-name and tries to route this address. This is the same routing mechanism as one used for finding the target Domain for HTTP requests.
If the target Domain is found, the Server looks for the proper key in the list of the Kerberos Keys for that Domain. If the Key is found, and the Ticket and Authorization info can be decrypted with that Key, the user is authenticated. The name of the Account is taken from the Client Name specified in the Ticket. That name must be a "simple" name, i.e. it cannot contain % symbols.
CommuniGate Pro adds the name of the target Domain to the retrieved user name and uses the resulting E-mail address as the name of the Account to open.
Note: after the resulting user name is processed with the Router, it checks that the target Account belongs to the same Domain as the Domain the Kerberos Key was retrieved from, so Administrators of one Domain cannot create Kerberos tickets allowing users to access Accounts in other CommuniGate Pro Domains.
Only Accounts with enabled Kerberos Authentication method can be accessed using Kerberos tickets.
You may want to use Microsoft Active Directory as your Kerberos Key Distribution Center (KDC). Follow these steps: