Configure Kerberos authentication on the CMS Application Server (Windows only)

If the CMS Application Server connects to a TEXTML Server that uses Kerberos authentication, you must configure Kerberos authentication on the CMS Application Server.

This section describes the procedure for configuring Kerberos authentication on the CMS Application Server.

Note: This procedure applies to Windows only.
  1. Create the krb5.ini Kerberos configuration file.
    This file specifies the Kerberos configuration used for authentication. Configure it as follows:
    • realm: Kerberos realm name. This is the Fully Qualified Domain Name (FQDN) of your Windows domain.
    • kdc: Kerberos Key Distribution Center (KDC) host name and port (Windows domain controller).
    For example:
    [domain_realm]
      .acme.local = ACME.LOCAL
      acme.local = ACME.LOCAL
      acme = ACME.LOCAL
    [libdefaults]
      dns_lookup_kdc = true
      dns_lookup_realm = true
    [logging]
    [realms]
    ACME.LOCAL = {
      kdc = dc1.acme.local
      kdc = dc2.acme.local
      admin_server = dc1.acme.local
    }   
  2. Save the file in the %GlassFishDir%/domains/cmsappserver/config directory.
  3. Open the %GlassFishDir%/domains/cmsappserver/config/login.conf file with a text editor.
  4. Add the following lines at the end of the file:
    TextmlClientLogin
    {
          com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false;
    };
  5. Save and close the file.
    By default, the cmsappserver service is running as the Local System user. When you enable Kerberos, you must run the CMS Application Server as another user.
  6. To run the CMS Application Server as another user.
    1. Click the Start button and select Control Panel > Administrative Tools.
    2. Double-click Services.
    3. Right-click the cmsappserver GlassFish Server service in the list and select Properties.
    4. In the Log On tab, select This account and click Browse.
      The Select User window appears.
    5. Enter the name of the user that will run the CMS Application Server in the Enter the object names to select box and click Check Names.
      Note: IXIASOFT recommends that you use the service account dedicated to the DITA CMS components (for example, CMSServiceUser).
      The username is underlined.
    6. Click OK.
    7. Enter the password for this user in the Password and Confirm password fields.
    8. Click OK.
      If the following message is displayed:
      The account <account_name> has been granted the Log On As A Service right.
      Click OK. The following message is then displayed:
      The new logon name will not take effect until you stop and restart the service.
    9. Click OK.
  7. Give the service user (for example, CMSServiceUser) permissions to the GlassFish directory:
    1. Right-click the C:\glassfish3 directory and select Properties.
    2. Select the Security tab.
    3. Select the user under which the cmsappserver service is running.
      If the user under which the CMS Application Server runs is not listed in the Group or user names box:
      1. Click Edit and then click Add.
      2. In the Enter the object names to select box, type the username and click Check Names.
      3. Click OK.
      4. Select the username.
    4. Click Edit and set up full permissions for the username:
      Figure 1. Giving permissions to the CMS Application Server

    5. Click OK to apply the changes.
    6. Click OK to close the dialog.