ADC Home > Reference Library > Guides > Mac OS X Server > Mac OS X Server Administrator Topics >

< Previous PageNext Page > Hide TOC

Kerberizing the Mac OS X VPN Server

In Mac OS X Server v10.4, the Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN) server can use Kerberos to authenticate users. Kerberos authentication is the only way to have the Mac OS X VPN Server authenticate users against a third-party directory. This article will cover the steps you need to take to enable Kerberos authentication for the VPN server when it is used with a third-party directory.

Currently Mac OS X is the only operating system that has a VPN client that supports Kerberos authentication. There is a known limitation that the edu.mit.kerberos file that defines the realms for the Kerberos utility in Mac OS X can contain only one realm when utilizing Kerberos authentication for VPN access. Having only one defined realm is not an issue for most system administrators, because there is typically only one Kerberos realm defined for each top-level domain and its users. This realm must be a Kerberos version 5 realm. This limitation will be addressed in a future update or release.

This topic addresses how to integrate the Mac OS X VPN server into a third-party directory for authentication and does not cover the details of Kerberos. For instructions on using Directory Access to integrate a Mac OS X Server into a third-party directory, see Chapter 7, “Managing Directory Access” in Mac OS X Server Open Directory Administration. Contact the vendor responsible for the operating system for more information about the availability of Kerberized VPN clients. For more information about Kerberos, see the MIT Kerberos website.

Contents:

Installing the Kerberos Keytab
Configuring the VPN Server


Installing the Kerberos Keytab

The VPN server, built-in to Mac OS X Server v10.4, needs a Kerberos version 5 keytab for the realm it will serve. The keytab must contain the principle vpn/exampleserver.exampledomain.com@EXAMPLEREALM.COM where exampleserver.exampledomain.com is the fully qualified domain name of the server. For example, vpn/vpnserver.apple.com@APPLE.COM is a valid keytab request. If the server provides additional kerberized services, those principles must be in the same keytab.

  1. The Kerberos keytab is located at /etc/krb5.keytab. If that file does not exist, move the keytab you receive into /etc name it krb5.keytab, and move to step 3. If the /etc/krb5.keytab file exists run the following commands in step 2.

  2. In the Terminal application, run the command sudo ktutil to open the keytab utility. You see ktutil: as a prompt, all of the following commands are run at the ktutil prompt, not the Terminal prompt. Each new line is a separate command.

    read_kt /etc/krb5.keytab

    read_kt /your/new/keytab/file.keytab

    write_kt /etc/krb5.keytab

    quit

  3. Make sure the owner of the file is root and the file permissions are set so that only the file's owner, root, is able to read and write the file. The permissions for group and other must be set to not allow access to the keytab file.

  4. In Terminal, run the command sudo klist -k /etc/krb5.keytab, and make sure all of the principles you expect in the keytab are present.

Configuring the VPN Server

Before turning on the VPN Server in the Server Admin application, you must perform the following commands to kerberize the VPN server:

  1. In Terminal, run the following command as a single line.

    sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/exampleserver.exampledomain.com@EXAMPLEREALM.COM"

    This command sets the service principal name for the VPN server to match the principle in the keytab you just installed.

  2. The next step is to change the configuration of the VPN server so it does not use access control lists which rely on globally unique identifiers (GUIDs) that are not present in the third party directory. To do this, open the file /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist in an application that can edit property lists. The Property List Editor application is the recommended application to use. If you do not have this application, install the Developer Tools package that accompanies Mac OS X v10.4. You will find the Property list Editor at /Developer/Applications/Utlities. In this file there is configuration information for both L2TP and PPTP. You only need to edit the information for the L2TP protocol. Find the key named AuthenticatorACLPlugins and rename it to _AuthenticatorACLPlugins. Save this file.

  3. Start the VPN Server in the Server Admin application. Now that the VPN server is set up for Kerberos authentication, clients with the correct Kerberos configuration file and set up to use Kerberos authentication can utilize the VPN service.

You have now installed a Kerberos keytab, configured the VPN server to not look for GUIDs and set the realm for which the VPN server will use Kerberos to authenticate users. For more information about the VPN server built-in to Mac OS X Server v10.4, see Mac OS X Server Network Services Administration



< Previous PageNext Page > Hide TOC

© 2007 Apple Inc. All Rights Reserved. (Last updated: 2007-05-23)

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.