Using Kerberos (Windows authentication) with more than one server

Date:4 October 2013
Product/Release:Visual LANSA - Supported Versions
Abstract:Specific steps must be taken to configure kerberos on a server which then accesses data/files on another server - also known as multi-hop
Submitted By:LANSA Technical Support

Specific configuration is required when setting up a server to use Kerberos (also known as Windows authentication), which connects to another server for the database or a shared drive (multi-hop). Basically, Server B (the server hosting the database/shared drive) must list Server A (the server where LANSA is installed and the LANSA listener is runnning), with either of the following trust settings:

  1. Trust whole computer to *any* services
  2. Trust a specific domain user to *any* services – This requires setting up listener properly to run as a specific user (see below).

A basic overview of how to implement these is listed below:

1. Trust whole computer to *any* services

The following screenshot shows how to assign this setting (on Server B)
Screenshot showing the setting to enable trust whole computer to any services

2. Trust a specific domain user to *any* services

The following screenshot shows how to assign this right (on Server B)
Screenshot showing the setting to enable trust specific domain user to any services

To run the LANSA listener with a specific domain user (non administrative account), the following setup is required:

  1. The following rights must be granted to the domain user for the computer where the listener is running.
    1. Act as part of the operating system
    2. Create a token object
    3. Impersonate a client after authentication
    4. Log on as a service
    5. Replace a process level token
    Run "Local Security Policy" on the computer where the listener is running to grant rights.
    Note that the extended privileges are limited only to the computer where the listener is running and so the domain user is still unprivileged on other computers.Screenshot of the User Rights required
     
  2. Currently WINDTM must be disabled
    WINDTM Settings

    With these changes, we can then change the listener to run as the specific domain user in Services Manager.
    LConnect Services Log On settings

    Once these setup steps have been completed, you should use the lcoecho utility in the connect folder to confirm connection:
    Command Prompt LCOECHO