Version 1

    My setup includes two laptop machines running Fedora OS. They both are connected to my wireless router under same subnet. Note that most of the time you do not need to do configure KDC server at all, your enterprise already may be configured with it, you need to ask your operation guys on how to get the keytabs or how to use SSO without keytabs.


    For simplicity sake, I edited "/etc/hosts" file added following lines



    Most of you already may have your enterprise kerberos system installed and configured to go, however in for my testing I had to install kerberoes server. I took instructions from here. On my "" machine, with root permissions


    yum -y install krb5-libs krb5-server krb5-workstation


    Once the installation is complete, I needed to create database for the kerberos credentials, typically enterprises may attach to LDAP etc, for my test case that is not important, so a simple local store is sufficient. To achieve that execute


    kdb5_util create -s


    Typically when the time difference between machine is off, kerbeors gives issues, so you can synchronize time using NTP, for that execute


    yum install ntp
    service ntpd restart


    Edit the "/var/kerberos/krb5kdc/kadm5.acl" to look like


    */admin *


    now edit the "/etc/krb5.conf" file, and it should look like


    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = EXAMPLE.COM
      kdc =
      admin_server =
    [domain_realm] = EXAMPLE.COM = EXAMPLE.COM


    Now edit firewall permissions and allow "kerberos", for my setting, I used graphical management tool that come with fedora to accomplish that. Then start the kerberos server using following commands


    /sbin/service krb5kdc start
    /sbin/service kadmin start


    Now we are ready to create users in the kerberos, to begin with we need a "root" user, you can add that by issuing


    kadmin.local -q "addprinc root/admin"


    Now login with "root" user in kadmin to create another user


    kadmin.local -p root/admin


    Then at the command prompt, to add a user say "rareddy", issue command


    ank alice
    ank bob/


    You can also view all the users in the system by issuing




    you will see users like




    Here I am going to use "bob/" user as Service Provider Principle (SPN). In Kerberos, there are three systems, one is client user (that is you, ex: alice), second is where the service is running (JBoss EAP) and then the kerberos server itself. In order to get access to the service user need to use their kerberos authentication, however user needs to specify which service he/she requesting the token to be granted for but using SPN.  Using the combination of user token and SPN the access is negotiated with the service.


    To proceed we need to create a keytab, which holds the credentials. To create a keytab, execute below on kadmin console


    ktadd -k /path/to/bob.keytab  bob/
    ktadd -k /path/to/alice.keytab alice


    Now kerberoes is all setup, copy the "bob.keytab" to the system where the service is being installed, and "alice.keytab" to the client system where the call to the service is being made. In my case it was "" machine and service was being done in JBoss EAP. Also copy the "/etc/krb5.conf" file to this machine to a chosen location.