Registration, srvtabs, and keytabs

Before your web server will be allowed to authenticate end users, you must obtain a ServiceID for your server. A unique ServiceID is assigned to each service that is authorized to process Kerberos credentials from end users (to determine their NetID). Associated with each ServiceID is a randomly generated key (password) that is stored in a file called a srvtab file (Kerberos 4) or a keytab file (Kerberos 5). With a srvtab, a server process can authenticate itself to any other kerberized service, and it can also accept authentication credentials submitted by an end user.

In addition to obtaining a ServiceID and a srvtab file, the new service's IP address needs to be registered in order to use CUWebLogin. Only registered servers can communicate with CUWebLogin.

You can request a ServiceID and srvtab file and take care of initial registration at http://aads.cit.cornell.edu/servicerequest/srvtabrequest/srvtabrequest.php .

Securing your srvtab

The srvtab file contains key information so it needs to be handled the same way as you would handle an SSL certificate key for the server. Read access to the srvtab must be carefully controlled. In general it should be readable only by the uid which owns the process which needs to utilize it. The srvtab file must never be transmitted over the network in the clear (such as through e-mail).

Relocating your service

Any time the IP address for your service changes, you will need to register the new IP address by sending mail to aadssupport@cornell.edu and provide your ServiceID and the new IP Address (not the DNS name). A single service may have multiple IP addresses register to use the ServiceID.

Once you have a srvtab installed on your host, you need to tell CUWebAuth where to find it by adding the following lines to your configuration file...

CUWAkerberosPrincipal web-agent.@CIT.CORNELL.EDU

CUWAsrvtabPath /etc/srvtab

Note that the ServiceID is called a "principal" in MIT Kerberos lingo.