Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Logging in to IdM in the Web UI: Using a Kerberos ticket

Authenticate to the Identity Management (IdM) Web UI automatically with a valid Kerberos ticket from a local system. You can use the single sign-on (SSO) method to access the graphical interface without entering a password in the browser.

6.1. Kerberos authentication in Identity Management
Copia collegamento

Identity Management (IdM) uses the Kerberos protocol to support single sign-on (SSO). You can use SSO to provide a username and password only once to obtain a ticket.

The IdM server provides Kerberos authentication immediately after the installation if the DNS and certificate settings have been configured properly. For details, see Installing Identity Management.

To use Kerberos authentication on hosts, install:

6.2. Using kinit to log in to IdM manually
Copia collegamento

Authenticate to an Identity Management (IdM) environment manually by using the kinit utility. You can use this utility to obtain and cache a Kerberos ticket-granting ticket (TGT) if your initial ticket has expired or was destroyed.

As an IdM user, when logging onto your local machine you are also automatically logging in to IdM. This means that after logging in, you are not required to use the kinit utility to access IdM resources.

Procedure

  • To authenticate as the current local user, use kinit without specifying a user name. For example, if you are logged in as <example_user> on the local system: 

    [example_user@server ~]$ kinit
    Copy to Clipboard Toggle word wrap 
    Password for example_user@EXAMPLE.COM:
[example_user@server ~]$
    Copy to Clipboard Toggle word wrap

    If the user name of the local user does not match any user entry in IdM, the authentication attempt fails: 

    [example_user@server ~]$ kinit
    Copy to Clipboard Toggle word wrap 
    kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    Copy to Clipboard Toggle word wrap

  • To authenticate as a different IdM principal, specify the username with the kinit command. For example, to log in as the admin user: 

    [example_user@server ~]$ kinit admin
    Copy to Clipboard Toggle word wrap 
    Password for admin@EXAMPLE.COM:
[example_user@server ~]$
    Copy to Clipboard Toggle word wrap
    Note

    Requesting user tickets using kinit -kt KDB: user@EXAMPLE.COM is disabled. For more information, see the Why kinit -kt KDB: user@EXAMPLE.COM no longer work after CVE-2024-3183 solution.

Verification

  • To verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the <example_user> principal, which means that on this particular host, only <example_user> is currently allowed to access IdM services: 

    $ klist
    Copy to Clipboard Toggle word wrap 
    Ticket cache: KEYRING:persistent:0:0
Default principal: example_user@EXAMPLE.COM

Valid starting     	Expires            	Service principal
11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

6.3. Configuring the browser for Kerberos authentication
Copia collegamento

Prepare your web browser for Kerberos authentication to the Identity Management (IdM) server. You can use this configuration to pass your local Kerberos ticket to the Web UI for automatic, single sign-on (SSO) access. Proper browser settings ensure that the system recognizes the IdM domain as a trusted source for credential exchange.

Each browser supports Kerberos in a different way and needs a different configuration. The IdM Web UI includes guidelines for the following browsers:

  • Firefox
  • Chrome

Procedure

  1. Open the IdM Web UI login dialog in your web browser.

  2. Click the link for the browser configuration on the Web UI login screen.

    A screenshot of the IdM Web UI log in page with empty entry fields for the Username and Password and a blue "Log in" button below those fields. Text to the right of the "Log in" button explains "to log in with Kerberos please make sure you have valid tickets (obtainable via kinit) and configured the browser correctly then click Log in." The URL for the word "configured" has been highlighted.

  3. Follow the steps on the configuration page.

    A screenshot of a web browser with instructions for "Browser Kerberos Setup."

    After the setup, go back to the IdM Web UI and click Log in.

6.4. Logging in to the web UI using a Kerberos ticket
Copia collegamento

Access the Identity Management (IdM) Web UI automatically by using a Kerberos ticket-granting ticket (TGT). The TGT remains valid for a predefined interval, which defaults to 24 hours. You can modify this duration in the IdM Web UI configuration settings.

After the time interval expires, you need to renew the ticket:

  • Using the kinit command.
  • Using IdM login credentials in the Web UI login dialog.

Procedure

  • Open the IdM Web UI.

    If Kerberos authentication works correctly and you have a valid ticket, you can automatically authenticate and the Web UI opens.

    If the ticket is expired, you must authenticate yourself with credentials first. However, next time the IdM Web UI will open automatically without opening the login dialog.

    If you see an error message Authentication with Kerberos failed, verify that your browser is configured for Kerberos authentication. See Configuring the browser for Kerberos authentication.

    A screenshot of the IdM Web UI log in screen displaying an error above the empty Username and Password fields. The error message says
    View larger image
    A screenshot of the IdM Web UI log in screen displaying an error above the empty Username and Password fields. The error message says

6.5. Configuring an external system for Kerberos authentication
Copia collegamento

Configure an external system that is not enrolled in the Identity Management (IdM) domain to support Kerberos authentication. By defining an IdM-specific Kerberos configuration file and setting the KRB5_CONFIG environment variable, users on external systems can authenticate against the IdM server and obtain Kerberos tickets.

Enabling Kerberos authentication on external systems is especially useful when your infrastructure includes multiple realms or overlapping domains. It is also useful if the system has not been enrolled into any IdM domain through ipa-client-install.

Prerequisites

  • The krb5-workstation package is installed on the external system. To verify the installation, use the following CLI command: 

    # dnf list installed krb5-workstation
    Copy to Clipboard Toggle word wrap 
    Installed Packages
krb5-workstation.x86_64    1.16.1-19.el8     @BaseOS
    Copy to Clipboard Toggle word wrap

Procedure

  1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example: 

    # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf
    Copy to Clipboard Toggle word wrap
    Warning

    Do not overwrite the existing krb5.conf file on the external system.

  2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file: 

    $ export KRB5_CONFIG=/etc/krb5_ipa.conf
    Copy to Clipboard Toggle word wrap

    The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

  3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.

  4. Configure the browser on the external system, as described in Configuring the browser for Kerberos authentication.

    Users on the external system can now use the kinit utility to authenticate against the IdM server.

6.6. Enabling Web UI login for Active Directory users
Copia collegamento

Configure the Identity Management (IdM) Web UI to verify Active Directory (AD) user credentials through a cross-forest trust to maintain a single source of identity.

To enable Web UI login for Active Directory users, define an ID override for each Active Directory user in the Default Trust View.

Procedure

  • To define an ID override for ad_user@ad.example.com: 

    [admin@server ~]$ ipa idoverrideuser-add 'Default Trust View' ad_user@ad.example.com
    Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red Hat