Kerberos Windows Installation
Introduction
Installing KRB5 on Windows
Using SecurID for KRB5 Authentication
Setting up KRB5 for CAC Authentication (PKINIT)
Using KRB5 for Authentication (CAC)
Introduction
Two methods of authentication with Kerberos will be discussed in this document: CAC card and SecurID card. CAC cards are supplied by the Government for use by Government, civilian, or contract workers. If you do not have a CAC card AND were authorized to use a SecurID card, please continue with this document. If you do not have a CAC card OR a SecurID card, AND were issued an hToken, please refer to the document entitled ‘Using hTokens to Authenticate.’
Kerberos is an open-source piece of software, developed by MIT. This software is used by the High Performance Computing Modernization Office (HPCMO) and is maintained by the HPCMO.
Conventions
Terminology used by the program will be set aside in notes with explanations.
Items set apart in “double quotes” are meant to be selected by the user or person installing software.
Items set apart in ‘single quotes’ are referrals to other documents or other sections of this document.
Questions
If questions or concerns are encountered during the set-up or usage of the Kerberos KRB5 software, it is in your best interest to contact the CCAC help center at 1-877-222-2039 or via e-mail at help@ccac.hpc.mil. Users should be prepared with error messages, if applicable, and/or screenshots to expedite requests.
Installing KRB5 on Windows
Kerberos software must be installed on the computer that will be used for High Performance Computer (HPC) access. It is not necessary to have administrative or root access to install the Kerberos software from the HPCMO website. This document describes the steps necessary to install and use the Kerberos software.
Step 1: Go to https://www.hpcmo.hpc.mil/security/kerberos/
Step 2: Click on “Software” in the left-hand menu.
Step 3: Choose “Windows” from the main menu that appears.
Step 4: Choose “HPCMP Kerberos for Windows Installer.”
Step 5: Run the program.
Step 6: Ensure that three icons have been added to the desktop: 'krb5,’ ‘putty,’ and ‘Filezilla’ as shown in Figure 1.
Figure 1: Icons for krb5, putty, and FileZilla.
Step 7: Restart the computer to complete installation.
Using SecurID for KRB5 Authentication
SecurID cards are issued only in special circumstances at this time. The majority of new users will receive an hToken, or use their department-issued CAC card. Refer to this section only if you have received a SecurID card. If you have a CAC card, continue to ‘5.0 Setting up KRB5 for CAC Authentication (PKINIT).’
Step 1: Open your KRB5 application using the KRB5 tool on your desktop.
Step 2: Authenticate using the KRB5 application:
Step 2a: Place your user name in the box labeled “Name.”
Step 2b: Enter the default password received in the envelope with the SecurID card.NOTE: The default password will remain the same for the life of the card. It should be changed as soon as possible using 'Change Password' in the KRB5 application, by logging in to an HPC and running the kpasswd command, or at https://ieapp.erdc.hpc.mil/info/changepassword.do.
Step 2c: Enter the Realm in the box labeled “Realm.”
Figure 2: Kerberos Login Screen.
NOTE: The user’s principle is received via email and sent by the HPCMP accounts center (accounts@ccac.hpc.mil). It may also be received with the SecurID card.
The format for the principle is: username@REALM.HPC.MIL. The user name is always before the “@” symbol and always will be used in lowercase letters. The realm is always behind the “@” symbol and will always be used in uppercase letters. All new users will have an HPCMP realm.
Step 2d: Click 'Login'
Step 3: On your SecurID access card, enter your memorized Personal Identification Number (PIN). Press the diamond key (Enter key) to generate a one-time PASSCODE that will appear on the SecurID card screen.
Step 4: Enter the displayed PASSCODE.
Step 5: After using the PASSCODE, protect it from misuse by clearing the PASSCODE from the display window by pressing the P key (Protect/Clear key). The P key may also be used to clear an incorrect PIN and re-enter it.
Setting up KRB5 for CAC Authentication (PKINIT)
CAC Authentication requires a CAC card, a CAC reader, and some type of commercial CAC software. These items are not provided by the HPCMO. If you do not have a CAC reader and/or some type of commercial CAC software, please contact your local PC support team.
Step 1: Open your krb5 application using the KRB5 tool on your desktop.
Step 2: Click on File > Options, as shown in Figure 2.
Figure 3: Location of the Options Menu.
Step 3: Validate that your Options appear as shown in Figure 3.
Step 3a: If they do not, click the “Attempt PKINIT” box.
Step 3b: Click the “OK” button.
Figure 4: Options Menu
Step 4: Attempt login using below instructions.
Using KRB5 for Authentication (CAC)
Step 1: Place the CAC card into the reader.
NOTE: If there is not a CAC reader at the workstation, please contact the local on-site support center. Readers are not provided by the HPCMP. Installation and maintenance of the CAC reader is provided by local support.
Step 2: Click on the krb5 icon to open the application.
Step 3: Place the user name in the box labeled “Name.”
Step 3a: Leave the “Password” box blank.
Step 3b: Enter the Realm in the box labeled “Realm.”
NOTE: The user’s principle is received via email and sent by the HPCMP accounts center (accounts@ccac.hpc.mil). The format for the principle is: username@REALM.HPC.MIL. The user name is always before the “@” symbol and will always be used in lowercase letters. The realm is always behind the “@” symbol and will always be used in uppercase letters. All new users will have an HPCMP realm.
Figure 5: Kerberos Login Application.
Step 3d: Click 'Login'
Step 4: Enter the CAC pin number into the pop-up box, as shown in Figure 5 and click 'OK'
Figure 6: Pin Number Prompt.
At this point, you are authenticated using CAC.
Last Updated: 06.12.09
