When you say:
1. My Application server is Linux and is not in domain. My AD server is Win2K8 SP2 and I have installed the console on that server. Is it necessary that the application server should also be a part of the domain for the authentication to work. I have gone through the documentation but couldn't find anything related to it.
Also you did the configuration of AD:
Where you executed the steps of AD? On domain Server of Application Server?
Thanks for the reply. I have done the configuration of AD on the domain server itself. Also now I have done with the testing of domain authentication and that is working smoothly. I only have problem with the AD/Kerberos authentication.
To answer you questions:
1) Yes you can use an appserver which is not part of the Domain.
Make sure that there is no time difference between the appserver and DC server.
2) You client has to be part of Domain. Since in AD/Kerberos, the credentials will be fetched for the user which you are logged in as. Which would be a domain user.
On the client side, check for the following:
1) For 2008 server Browse to \HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry key "AllowTgtSessionKey" REG_DWORD value is created and set to 1.
2) config.properties file needs to have the following entries:
java.security.krb5.conf=C\:\\Program Files\\BMC Software\\......\\
java.security.auth.login.config=C\:\\Program Files\\BMC Software\\.....
3) blclient_login.conf and blclient_krb5.conf files needs to be present on the client and the paths are to be specified on in the config.properties file in format as mentioned above.
Just checked the files that are attached:
blclient_login.conf file doesn't have entries relevant to client. These entries which you are specifying are for blappserv_login.conf.
For blclient_login.conf try the following entries:
blclient_krb5.conf looks alright.
Thanks for your reply. I will give this a try and update here. Currently I am stuck with another issue which is more important.
Can you please check this thread and let me know if you have some idea about it.