Macromedia live cycle 7.2 Manual
Adobe LiveCycle
Post-deployment
Installing and Configuring LiveCycle Security Products for JBoss
Adding Kerberos authentication 28
Adding Kerberos authentication
To use Kerberos authentication with LiveCycle Policy Server, you must complete the following tasks:
●
Ensure that your network meets certain network configuration criteria. (See
.)
●
Create a special account for Kerberos in Microsoft Active Directory. (See
●
From the administration interface, Configure LiveCycle Policy Server to work with Kerberos. For
information on how to configure LiveCycle Policy Server, see LiveCycle Policy Server Help and for
additional information see,
information on how to configure LiveCycle Policy Server, see LiveCycle Policy Server Help and for
additional information see,
.
Network requirements
When using Kerberos as an authentication mechanism with LiveCycle Policy Server, Acrobat 7.0 users
running Windows can access LiveCycle Policy Server without having to type a user name or password.
Kerberos can leverage the Windows infrastructure to determine the identity of a user who has logged into
a computer without requiring that user to enter a user name and password again.
running Windows can access LiveCycle Policy Server without having to type a user name or password.
Kerberos can leverage the Windows infrastructure to determine the identity of a user who has logged into
a computer without requiring that user to enter a user name and password again.
To use the Kerberos authentication system with LiveCycle Policy Server, you must be using Microsoft
Active Directory 2000 or 2003, to control a domain which end users and their computers access. Then,
when LiveCycle Policy Server client software in Acrobat 7.0 uses Kerberos to perform authentication, it
specifies which service should receive the end user’s credentials. This ensures that only
LiveCycle Policy Server—referred to as the service in Kerberos— receives the credentials, and not some
other server, service, or user. LiveCycle Policy Server can accomplish this through a special Active Directory
account that is created to act as the service.
Active Directory 2000 or 2003, to control a domain which end users and their computers access. Then,
when LiveCycle Policy Server client software in Acrobat 7.0 uses Kerberos to perform authentication, it
specifies which service should receive the end user’s credentials. This ensures that only
LiveCycle Policy Server—referred to as the service in Kerberos— receives the credentials, and not some
other server, service, or user. LiveCycle Policy Server can accomplish this through a special Active Directory
account that is created to act as the service.
Creating the Active Directory account
The following example shows how to create an account that Kerberos can use as a service to give
LiveCycle Policy Server users access to their accounts without having to enter their user names and
passwords. The steps provided in the example can be completed after LiveCycle Policy Server is already
running.
LiveCycle Policy Server users access to their accounts without having to enter their user names and
passwords. The steps provided in the example can be completed after LiveCycle Policy Server is already
running.
Example 3.1
To create an Active Directory account
If you have an existing Active Directory instance running on a server named test.2003.policyserver.net, its
IP address is resolvable by a DNS server running on 192.168.1.1 and test is running the Active Directory
domain entitled 2003.policyserver.net.
IP address is resolvable by a DNS server running on 192.168.1.1 and test is running the Active Directory
domain entitled 2003.policyserver.net.
➤
To create an Active Directory account on the test.2003.policyserver.net server:
1. On test, run the Active Directory Users & Groups program (Administrative Tools > Active Directory
Users and Computers). Create a new account and call it PolServerKerberos. To create a new account,
right-click the folder called Users in the hierarchy and then select New > User. You are first prompted
for user first/last/login name. The login name is required; the remaining properties are optional for
LiveCycle Policy Server. However, Active Directory treats all of the fields as required fields.
right-click the folder called Users in the hierarchy and then select New > User. You are first prompted
for user first/last/login name. The login name is required; the remaining properties are optional for
LiveCycle Policy Server. However, Active Directory treats all of the fields as required fields.
Note:
The PolServerKerberos naming matches the example provided in the LiveCycle Policy Server Help.
Give this new account a password and ensure that it is set to never expire.
Give this new account a password and ensure that it is set to never expire.