Kerberos test with Meridian

This article describes how Accruent Engineering tested Meridian in an environment with Kerberos security configured.

Kerberos was configured for Meridian in the following way:

1. Check which service account is used for the Meridian servers.

2. In the Domain Controller, open Active Directory Users and Computers.

3. Click the service account verified in step 1.

   The BCM Service Account Properties dialog opens.

4. Click the Account tab.

5. Select the following options:

   • This account supports Kerberos AES 128 bit encryption

   • This account supports Kerberos AES 256 bit encryption

   If there are multiple service accounts, select these options for all of them.

6. In Meridian Server (EDM Server and Enterprise Server) and Meridian Client (Meridian/PowerWeb IIS applications, Explorer, Publish Nodes) Hosts, open Local Security Policy.

7. In the left panel, under Security Settings expand Local Policies and open Security Options.

8. In Policy, open Network security: Configure encryption types allowed for Kerberos.

9. In the Local Security Setting tab, select all AES encryption types.

10. To verify the setting is applied, open a command (CMD) window and run a klist tickets command to look out for an AES128 encrypted service ticket.

11. Open IIS Manager.

12. In Application Pools, open BCMeridian.

13. On the Actions panel on the right, click Advanced Settings.

    The Advanced Settings dialog opens.

14. Choose one of two options:

    • If you are configuring Kerberos for a domain account, under Process Model, add the service account in Identity.

    • If you are configuring Kerberos for a local account, under Process Model, add LocalSystem in Identity.

15. Perform steps 12 – 14 also for BCPowerWeb and BCEnterprise.

16. On each site (BCMeridian, BCPowerWeb, and BCEnterprise), open Authentication.

17. Set Windows Authentication to Enabled. Right click Windows Authentication and select Providers.

    The Providers dialog opens.

18. In Enabled Providers, add Negotiate:Kerberos. If there are any other providers, remove them.

19. On each site (BCMeridian, BCPowerWeb, and BCEnterprise), open the Configuration Editor. In the Section, enter system.webServer/security/authentication/windowsAuthentication and hit Enter.

20. Choose one of two options:

    • If you are configuring Kerberos for a domain account:

      1. Set useAppPoolCredentials to True.

      2. Set useKernelMode to False.

    • If you are configuring Kerberos for a local account:

      1. Set useAppPoolCredentials to False.

      2. Set useKernelMode to True.

21. Open CMD and set spn as Setspn –S HTTP/FQDN_OF_IIS_SERVER domain\username.

22. Log in using Meridian Power, Explorer, or Enterprise Server.

To learn more, see the following articles:

• How to use SPNs when you configure Web applications that are hosted on Internet Information Services

• Setting up Kerberos Authentication for a Website in IIS

• Kerberos Authentication Overview