How to configure SSO with AD in a cluster environment.

  • 7021014
  • 23-Jun-2017
  • 16-Sep-2019


Novell Cluster Services
Novell GroupWise 2014 R2


There are really 2 things that you need to worry about when enabling Kerberos in a cluster.
First you need the Kerberos service principal bound to the logical hostname of the service and not the hostname of the cluster node. To achieve this, you cannot use the "net ads keytab add GroupWise" command that is documented in the simple configuration steps. Bellow is a description how you can use to create the service principal names for the logical hostname.
Hard Way (step1) – Create user and SPN from windows:
•Create a new user on the windows domain to represent the GroupWise POA and assign a password.
•Example: poa_prv1
•Use the setspn command line to create SPNS:
•setspn –S  groupwise/ –U poa_prv1
•setspn –S  groupwise/ –U poa_prv1
•setspn –S  groupwise/ –U poa_prv1
•You can verify the SPN’s by looking at the properties of the user on the attribute editor tab.
•You should see a multi-valued property called servicePrincipalName
Hard Way (step2) – Initialize Kerberos ticket cache on Linux:
•Run the following command to login to the windows domain and get a Kerberos ticket (as non-root user)
•kinit poa_prv1
•Load the service principal tickets into the cache by referencing them with the kvno command:
•kvno groupwise/
•kvno groupwise/
•kvno groupwise/
•Verify the tickets are cached by running:
Hard Way (step3) – Write the keystore:
•Run ktutil
•Add the keys into the keytab one at a time:
•add_entry –password –p groupwise/ –k 2 –e arcfour-hmac-md5
•The “2” is replaced with the output of the kvno command in the previous step
•Replace arcfour-hmac-md5 with other encryption algorithms as needed.
•Write the keytab
•write_kt /tmp/keytab
•“quit” ktutil
•Copy the keytab into place
•sudo cp /tmp/keytab /etc/krb5.keytab
•Add original host name entries back to krb5.keytab file:
• net ads keytab add groupwise
•Verify with klist -k
The second issue is getting the keytab file to follow the post office database as it moves from one node to another. To accomplish this we added a new POA startup switch which specifies the location of the keytab file. This is the "--keytab" switch.