Setting the Kerberos environment
For the web server, the Kerberos environment needs to be set. This is done by creating the file containing the Kerberos environments settings.
The krb5.conf below is an example more parameters can be added to make it better fit a specific AD configuration or fulfill security requirements. See: http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
Settings file example:
[libdefaults]
default_realm = PLANON.COM
default_keytab_name = FILE:AbsolutePath\Server\tomcat-*\tomcat.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
forwardable=true
[realms]
PLANON.COM = {
kdc = planon.com
default_domain = planon.com
}
[domain_realm]
.planon.com = PLANON.COM
default_realm = PLANON.COM
default_keytab_name = FILE:AbsolutePath\Server\tomcat-*\tomcat.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
forwardable=true
[realms]
PLANON.COM = {
kdc = planon.com
default_domain = planon.com
}
[domain_realm]
.planon.com = PLANON.COM
 | For the parameter kdc, the hostname is not required. With only the domain name defined, it will resolve to the correct domain controller itself even if there are multiple domain controllers. |
1. Update this example with your configuration.
2. Save this file as krb5.ini in the following: …\Server\tomcat-*\conf.