To support Kerberos authentication with WSTEP enrollment in a cross-forest deployment, Certificate Enrollment Gateway requires a Kerberos configuration file. Certificate Enrollment Gateway uses the Kerberos configuration file for authenticating Kerberos V5 LDAP Referrals across forests in Active Directory.
The Kerberos configuration file (typically krb5.conf) file must contain the following information:
- A
[libdefaults]section with a default realm.
If Kerberos authentication uses 3DES or RC4 algorithms, the section must also contain the settingallow_weak_crypto = true. - A
[realms]section with the top-level domain of each forest defined as a realm.
The following example is a krb5.conf file with two cross-forests.
[libdefaults] default_realm = EXAMPLE.COM renew_lifetime = 3600 ticket_lifetime = 3600 allow_weak_crypto = true[realms] EXAMPLE.COM = { kdc = hostname1.example.com kdc = hostname2.example.com kdc = example.com admin_server = hostname1.example.com master_kdc = hostname1.example.com default_domain = EXAMPLE.COM } EXAMPLE.ORG = { kdc = hostname1.example.org admin_server = hostname1.example.org master_kdc = hostname1.example.org default_domain = EXAMPLE.ORG }For more information about creating a krb5.conf file, see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.