K2 blackpearl Installation and Configuration Guide > Planning Guide > Additional Planning Considerations > Kerberos Setup and Configuration | Send feedback |
When components are installed on separate servers, credentials must be passed between the services. This can be accomplished by setting up Kerberos, which should be configured prior to installing K2. Any time where two or more hops are required for user authentication, Kerberos must be configured.
Kerberos is recommended for all configurations, machines and services in a distributed environment except for those that use OAuth (SharePoint 2013 and Azure Active Directory SmartObjects). |
The authentication model implementation is dependent on whether user credentials must be passed from one system to another. When they are passed, the system that is attempting to pass the credentials must be trusted for delegation. For this step to take place successfully, Kerberos delegation must be configured.
The rule of thumb for when Kerberos configuration is required falls to one question: Does a system need to impersonate a user? If the answer to that question is yes, then Kerberos is required. An alternative approach to the need to configure Kerberos would be to assess whether two or more hops between servers are required. In such a case, Kerberos is required. This is commonly known as the “double-hop issue.”
Configuring Kerberos is an advanced task and should only be performed by an appropriately trained professional. The steps and configurations given in this help file are to be used as a guide - your system may require additional configuration due to different hardware and software compatibilities. |
The need for Kerberos configuration may only become evident once the following errors are detected. These errors will appear as soon as one of the servers attempts to pass credentials.
Kerberos is configured as part of the installation, some configuration happens once the components are installed. See the installation documentation for additional information. Neither Microsoft nor K2 developed the Kerberos standard. The MIT standard has been implemented in the platform and K2 relies on the implementation to successfully pass credentials between servers. |
A detailed guide on Security and Kerberos Authentication with K2 Servers can be found on the K2 Underground: (http://k2underground.com/files/folders/technical_product_documents/entry21001.aspx)
Kerberos Protocol Transition and Constrained Delegation:
https://technet.microsoft.com/en-us/library/cc739587(v=ws.10).aspx
Knowledge Base Articles on Kerberos:
http://help.k2.com/en/search.aspx?q=Kerberos&languages=lang_en
Information on the Double-Hop Issue:
http://support.microsoft.com/kb/329986
Windows 2000 Kerberos Authentication:
http://technet.microsoft.com/en-us/library/Bb742431.aspx
While infrastructure changes are required by K2, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes. |