Home
Products
Red Hat Enterprise Linux
10
Managing IdM users, groups, hosts, and access control rules
Chapter 19. Using the KDC Proxy in IdM

Chapter 19. Using the KDC Proxy in IdM

Some administrators might choose to make the default Kerberos ports inaccessible in their deployment. To allow users, hosts, and services to obtain Kerberos credentials, you can use the HTTPS service as a proxy that communicates with Kerberos via the HTTPS port 443.

In Identity Management (IdM), the Kerberos Key Distribution Center Proxy (KKDCP) provides this functionality.

On an IdM server, KKDCP is enabled by default and available at https://<server.idm.example.com>/KdcProxy. On an IdM client, you must change its Kerberos configuration to access the KKDCP.

19.1. Configuring an IdM client to use KKDCP
Copy link

Configure Identity Management (IdM) clients to use Kerberos Key Distribution Center Proxy (KKDCP) to access Kerberos services through HTTPS port 443. This enables authentication when standard Kerberos ports are blocked by firewalls or network policies.

Prerequisites

You have root access to the IdM client.

Procedure

Open the /etc/krb5.conf file for editing.
In the [realms] section, enter the URL of the KKDCP for the kdc, admin_server, and kpasswd_server options:
```
[realms]
EXAMPLE.COM = {
  kdc = https://kdc.example.com/KdcProxy
  admin_server = https://kdc.example.com/KdcProxy
  kpasswd_server = https://kdc.example.com/KdcProxy
  default_domain = example.com
}
```
For redundancy, you can add the parameters kdc, admin_server, and kpasswd_server multiple times to indicate different KKDCP servers.
Restart the sssd service to make the changes take effect:
```
# systemctl restart sssd
```

19.2. Verifying that KKDCP is enabled on an IdM server
Copy link

Verify that the Kerberos Key Distribution Center Proxy (KKDCP) is enabled on an Identity Management (IdM) server to confirm that Kerberos clients can authenticate through the HTTPS proxy rather than connecting directly to the KDC.

On an IdM server, KKDCP is automatically enabled each time the Apache web server starts if the attribute and value pair ipaConfigString=kdcProxyEnabled exists in the directory. When enabled, the symbolic link /etc/httpd/conf.d/ipa-kdc-proxy.conf is created.

You can verify if the KKDCP is enabled on the IdM server, even as an unprivileged user.

Procedure

Check that the symbolic link exists:

$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21  2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf

The output confirms that KKDCP is enabled.

19.3. Disabling KKDCP on an IdM server
Copy link

Disable the Kerberos Key Distribution Center Proxy (KKDCP) on Identity Management (IdM) servers to switch to direct KDC connectivity.

Prerequisites

You have root access to the IdM server.

Procedure

Remove the ipaConfigString=kdcProxyEnabled attribute and value pair from the directory:

# ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
Update complete
The ipa-ldap-updater command was successful

Restart the httpd service:
```
# systemctl restart httpd.service
```
KKDCP is now disabled on the current IdM server.

Verification

Verify that the symbolic link does not exist:

$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
ls: cannot access '/etc/httpd/conf.d/ipa-kdc-proxy.conf': No such file or directory

19.4. Re-enabling KKDCP on an IdM server
Copy link

Restore Kerberos Key Distribution Center Proxy (KKDCP) functionality on an Identity Management (IdM) server to enable clients to obtain Kerberos tickets through HTTPS.

Prerequisites

You have root access to the IdM server.

Procedure

Add the ipaConfigString=kdcProxyEnabled attribute and value pair to the directory:

# ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
Update complete
The ipa-ldap-updater command was successful

Restart the httpd service:
```
# systemctl restart httpd.service
```
KKDCP is now enabled on the current IdM server.

Verification

Verify that the symbolic link exists:

$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21  2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf

19.5. Configuring the KKDCP server for static targets
Copy link

Configure the Identity Management (IdM) KKDCP server to use TCP when communicating with Active Directory realms. TCP transport improves reliability when connecting to multiple Kerberos servers in AD environments.

Prerequisites

You have root access.

Procedure

Set the use_dns parameter in the [global] section of the /etc/ipa/kdcproxy/kdcproxy.conf file to false.
```
[global]
use_dns = false
```
Put the proxied realm information into the /etc/ipa/kdcproxy/kdcproxy.conf file. For example, for the [AD.EXAMPLE.COM] realm with proxy list the realm configuration parameters as follows:
```
[AD.EXAMPLE.COM]
kerberos = kerberos+tcp://1.2.3.4:88 kerberos+tcp://5.6.7.8:88
kpasswd = kpasswd+tcp://1.2.3.4:464 kpasswd+tcp://5.6.7.8:464
```
Important
The realm configuration parameters must list multiple servers separated by a space, as opposed to /etc/krb5.conf and kdc.conf, in which certain options may be specified multiple times.
Restart Identity Management (IdM) services:
```
# ipactl restart
```

19.6. Configuring the KKDCP server for dynamic discovery
Copy link

Configure the Identity Management (IdM) KKDCP server to automatically discover Active Directory servers using DNS service records. DNS-based discovery simplifies Active Directory integration and improves failover capabilities.

Prerequisites

You have root access.

Procedure

In the /etc/ipa/kdcproxy/kdcproxy.conf file, the [global] section, set the use_dns parameter to true.
```
[global]
configs = mit
use_dns = true
```
The configs parameter allows you to load other configuration modules. In this case, the configuration is read from the MIT libkrb5 library.
Optional: In case you do not want to use DNS service records, add explicit AD servers to the [realms] section of the /etc/krb5.conf file. If the realm with proxy is, for example, AD.EXAMPLE.COM, you add:
```
[realms]
AD.EXAMPLE.COM = {
    kdc = ad-server.ad.example.com
    kpasswd_server = ad-server.ad.example.com
}
```
Restart Identity Management (IdM) services:
```
# ipactl restart
```

Chapter 19. Using the KDC Proxy in IdM

19.1. Configuring an IdM client to use KKDCP
Copy link

19.2. Verifying that KKDCP is enabled on an IdM server
Copy link

19.3. Disabling KKDCP on an IdM server
Copy link

19.4. Re-enabling KKDCP on an IdM server
Copy link

19.5. Configuring the KKDCP server for static targets
Copy link

19.6. Configuring the KKDCP server for dynamic discovery
Copy link

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Chapter 19. Using the KDC Proxy in IdM

19.1. Configuring an IdM client to use KKDCPCopy linkLink copied to clipboard!

19.2. Verifying that KKDCP is enabled on an IdM serverCopy linkLink copied to clipboard!

19.3. Disabling KKDCP on an IdM serverCopy linkLink copied to clipboard!

19.4. Re-enabling KKDCP on an IdM serverCopy linkLink copied to clipboard!

19.5. Configuring the KKDCP server for static targetsCopy linkLink copied to clipboard!

19.6. Configuring the KKDCP server for dynamic discoveryCopy linkLink copied to clipboard!

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

19.1. Configuring an IdM client to use KKDCP
Copy link

19.2. Verifying that KKDCP is enabled on an IdM server
Copy link

19.3. Disabling KKDCP on an IdM server
Copy link

19.4. Re-enabling KKDCP on an IdM server
Copy link

19.5. Configuring the KKDCP server for static targets
Copy link

19.6. Configuring the KKDCP server for dynamic discovery
Copy link