Setting Up the UMS for SQL Server Kerberos

Password Policy - Regular Password Changes

If your password policy involves regular password changes, be aware that changing the AD password requires updating the UMS Server database configuration.

Setting Up Kerberos

The UMS can use an SQL Server database with domain login on Windows systems and Linux systems even if they are not part of the domain. In this case, the DB type "SQL Server AD Kerberos" must be used and the system must be configured before the database is activated.

Creating a Kerberos Configuration File

The Kerberos configuration file contains the data needed for the system to access the domain information. 

To learn how a Kerberos configuration file looks, see the following example:

[libdefaults]
default_realm = HEX.LOCAL
ticket_lifetime = 24h
[realms]
HEX.LOCAL = { kdc = 111.111.111.111 default_domain = HEX.LOCAL } 
[domain_realm] 
.hex.local = HEX.LOCAL 
[appdefaults]

For a detailed description of the content, see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.

The domain does not have to be identical to the domain of the server where the UMS is installed.

 Create the Kerberos configuration file and save it in an appropriate location.

Defining an Environment Variable

The global environment variable KRB5_CONFIG must be defined and point to the location of the Kerberos configuration file.

Under Windows

1. Open the Windows Settings, search for "environment", and select Edit the system environment variables.
   
   
2. Select the Advanced tab and click Environment Variables.
3. In the area System environment variables, click New.
4. Enter the following data:
   • Variable name: Enter "KRB5_CONFIG"
   • Variable value: Enter the path and file name of the Kerberos configuration file.
     
5. Click Ok.

Under Linux

The variable should be exported from the /etc/profile configuration or any other place that makes this variable visible to the environments of the users and the scripts that start the UMS Administrator and the UMS Server.

Activating the Database

The activation of the SQL Server database is done as normally in the UMS Administrator. The Kerberos connection needs a domain user and password for access to the database.

To activate the database:

1. In the UMS Administrator, select Datasource and then click Add....
2. In the New Datasource dialog, edit the settings as follows:
   • DB type: Select "SQL Server AD Kerberos".
   • Host: Enter the fully qualified name of the host on which the MS SQL database is running.
   • Domain: Enter the domain of the user which logs in to the database.
   • User: Enter the username for connecting to the database, without the domain.
   • Port: Enter the port on which the MS SQL database service is listening.
   • Schema: Enter "DBO".
   • Database / SID: Enter the name of the database.
     
3. Click Activate.
   The Datasource Password dialog opens.
4. Enter the domain password of the database user and click Ok. This password will also be used as the initial password of the UMS superuser.