Setup items in the exauth.properties file for Kerberos authentication

In the exauth.properties file, specify the type of the external authentication server, the server identification name, and the information about the external authentication server.

Common properties

See "Setup items in the exauth.properties file for Kerberos authentication (common items)"
Properties for an external authentication server

Specify these property values for each Kerberos server.

Setup items in the exauth.properties file vary depending on whether information about the Kerberos server being connected to is directly specified or looked up by using the DNS server.
- When directly specifying information about the Kerberos server:
  
  See "Setup items in the exauth.properties file for Kerberos authentication (when directly specifying information about the external authentication server)"
- When using the DNS server to look up information about the Kerberos server:
  
  See "Setup items in the exauth.properties file for Kerberos authentication (when using the DNS server to look up information about the external authentication server)"
Properties for an external authorization server

These properties must be set if you directly specify information about the Kerberos server and an external authorization server is also linked. Specify the properties for each realm.

See "Setup items in the exauth.properties file for Kerberos authentication (settings for the external authorization server)" or "Setup items in the exauth.properties file for Kerberos authentication (when an external authorization server and StartTLS are used for communication)

Note:

Make sure to distinguish between uppercase and lowercase letters for property settings.
To use StartTLS for communication between the management server and the LDAP directory server, you must directly specify information about the LDAP directory server to connect to in the exauth.properties file.
If you use the DNS server to look up the LDAP directory server to connect to, it might take longer for users to log in.

Table. Setup items in the exauth.properties file for Kerberos authentication (common items)
Property names	Details
`auth.server.type`	Specify an external authentication server type. Specify `kerberos`. Default value: `internal` (used when not linking to an external authentication server)
`auth.group.mapping`	Specify whether to also link to an external authorization server. Specify `true` to link to an external authorization server. Specify `false` to not to link to an external authorization server. Default value: `false`

Table. Setup items in the exauth.properties file for Kerberos authentication (when directly specifying information about the external authentication server)
Attributes	Details
`default_realm`	Specify the default realm name. If you specify a user ID but not a realm name in the login window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required. Default value: none
`dns_lookup_kdc`	Specify `false`. Default value: `false`
`default_tkt_enctypes`	Specify the encryption type used for Kerberos authentication. You can use the following encryption types: AES256-SHA2 AES128-SHA2 AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC To specify multiple encryption types, use a comma to separate the encryption types. Among the specified encryption types, an encryption type that is supported by both the management server OS and a Kerberos server will be used. Default value: None (AES256-SHA2, AES128-SHA2, AES256-CTS, or AES128-CTS is used for authentication.)
`clockskew`	Specify the acceptable range of difference between the management server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs. Specifiable values: 0 to 300 (seconds) Default value: 300
`timeout`	Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 3
`realm_name`	Specify the realm identification names. You can specify any name for this attribute to identify which realms the property attribute settings are applied to. You must specify at least one name. When specifying multiple realm identification names, separate the names with commas (`,`). Do not register the same realm identification name more than once. Default value: none
`value-specified-for-realm_name.realm`	Specify the name of the realm set in the Kerberos server. This attribute is required. Default value: none
`value-specified-for-realm_name.kdc`	Specify the information about the Kerberos server in the following format: `host-name-or-IP-address[:port-number]` This attribute is required. `host-name-or-IP-address` If you specify the host name, make sure beforehand that the name can be resolved to an IP address. If you specify the IP address, use an IPv4 address. In an IPv6 environment, you must specify the host name. Note that you cannot specify the loopback address (`localhost` or `127.0.0.1`). `port-number` Make sure beforehand that the port you specify is set as the listen port number on the Kerberos server. If you do not specify a port number or the specified port number cannot be used in a Kerberos server, `88` is assumed. When configuring the Kerberos server in redundant configuration, separate the servers with commas (`,`) as follows: `host-name-or-IP-address[:port-number]` `,host-name-or-IP-address[:port-number]`,`...` Note: When using StartTLS as the protocol for connecting to the external authorization server, specify the same host name as the value of CN in the external authorization server certificate. You cannot use an IP address.
Note: To specify the attributes, use the following syntax: auth.kerberos.`attribute`=`value`

Table. Setup items in the exauth.properties file for Kerberos authentication (when using the DNS server to look up information about the external authentication server)
Attributes	Details
`default_realm`	Specify the default realm name. If you specify a user ID but not a realm name in the login window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required. Default value: none
`dns_lookup_kdc`	Specify `true`. This attribute is required. However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS server. `realm_name` `value-specified-for-realm_name.realm` `value-specified-for-realm_name.kdc`
`default_tkt_enctypes`	Specify the encryption type used for Kerberos authentication. You can use the following encryption types: AES256-SHA2 AES128-SHA2 AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC To specify multiple encryption types, use a comma to separate the encryption types. Among the specified encryption types, an encryption type that is supported by both the management server OS and a Kerberos server will be used. Default value: None (AES256-SHA2, AES128-SHA2, AES256-CTS, or AES128-CTS is used for authentication.)
`clockskew`	Specify the acceptable range of difference between the management server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs. Specifiable values: 0 to 300 (seconds) Default value: 300
`timeout`	Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify `0`, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 3
Note: To specify the attributes, use the following syntax: auth.kerberos.`attribute`=`value`

Table. Setup items in the exauth.properties file for Kerberos authentication (settings for the external authorization server)
Attributes	Details
`protocol`	Specify the protocol for connecting to the LDAP directory server. When communicating in plain text format, specify `ldap`. When using StartTLS communication, specify `tls`. StartTLS communication can be used only when directly specifying information about the Kerberos server. Before specifying `tls`, make sure that one of the following encryption methods can be used on the LDAP directory server. For StartTLS, TLS 1.2 and TLS 1.3 are supported. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 Specifiable values: `ldap` or `tls` Default value: `ldap` Note: When communicating by using StartTLS as the protocol for connecting to the LDAP directory server, you must specify the security settings of Common Component.
`port`	Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port number on the LDAP directory server. Specifiable values: 1 to 65535 Default value: 389
`basedn`	Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP directory server. The user entries that are located in the hierarchy after this DN will be verified during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched. Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN, you must use a backslash (`\`) to escape each character. Spaces `# + ; , < = > \` If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP directory server without change. If you omit this attribute, the value specified in the `defaultNamingContext` property of Active Directory is assumed as the BaseDN. Default value: none
`timeout`	Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify `0`, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 15
`retry.interval`	Specify the interval (in seconds) between tries to connect to the LDAP directory server. Specifiable values: 1 to 60 (seconds) Default value: 1
`retry.times`	Specify the number of tries to connect to the LDAP directory server. If you specify 0, no further tries occur. Specifiable values: 0 to 50 Default value: 20
Note: To specify the attributes, use the following syntax: auth.group.`realm-name`.`attribute`=`value` For `realm-name`, specify the value specified for `auth.kerberos.realm_name-property-value.realm`.

Table. Setup items in the exauth.properties file for Kerberos authentication (when an external authorization server and StartTLS are used for communication)
Property	Details
`auth.ocsp.enable`	Specify whether to verify the validity of an LDAP directory server's electronic signature certificate by using an OCSP responder when the LDAP directory server and StartTLS are used for communication. To verify the validity of certificates, specify `true`. To not verify the validity of certificates, specify `false`. Default value: `false`
`auth.ocsp.responderURL`	Specify the URL of an OCSP responder to use an OCSP responder that is not the one written in the AIA field of the electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP responder written in the AIA field is used. Default value: None