Configure a service principal user account in Active Directory for use with Identity Bridge

Identity Bridge uses the Integrated Windows Authentication (IWA) capability of Active Directory. Therefore, your company's Active Directory must have a service principal so that Identity Bridge can authenticate users against Active Directory credentials when users access the Cloud Single Sign On Control Console.

Task

  1. Log on to your Active Directory.
  2. Create a user in the AD domain to which Directory Services Connector communicates.
  3. Open the Properties page for the user
  4. Check the Member of tab to make sure the user is in the domain used by Directory Services Connector.
  5. In the Account tab, check the entry in the User login name field. This name, plus the associated domain name must be entered into the Active Directory Server Principal Name field in the Registered Server page of Directory Services Connector.
  6. Open the command line on the Active Directory server, and enter the following command at the command prompt:ktpass -princ HTTP/<ePO server name>@<AD domain name> -mapuser <user_name>@<domain_name> -pass * -ptype KRB5_NT_PRINCIPAL , where <ePO server name> is the name of the ePO server running Identity Bridge, <AD domain name> is the AD domain used for authentication, and <user_name>@<domain_name> is the security principal user you just created and the domain of the user.
    A prompt to enter a password and confirmation password is displayed.
  7. Enter the password in both fields.
  8. At the command line prompt, type setspn -A HTTP/ <ePO server name>@<AD domain name> <user_name>@<domain_name>, where <user_name>@<domain_name> is the security principal user you just created.
  9. On the Registered Server page in Directory Services Connector, in the Identity Bridge section, enter this security principal user name and domain in the Active Directory Server Principal Name field. For more information, see "Set up Identity Bridge for McAfee Cloud Single Sign On" in the Directory Services Connector Getting Started Guide or the Directory Services Connector online help .