Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsIP PhoneOmniAccess 3500
31323334353637383940
OmniAccess 3500 Nonstop Laptop Guardian Gateway Installation Guide
command, the name must be written entirely in lowercase letters
(guard1.evros.sample-net.com in the example).
o evros.sample-net.com — The full domain name served by the AD instance, also
referred to as the Kerberos realm. In the –princ declaration of the ktpass
command, the name must be written entirely in uppercase letters
(EVROS.SAMPLE-NET.COM in the example).
o EVROS — The NetBIOS name of the domain served by the AD instance (as given
in the EVROS\evauth1 username). Note that the NetBIOS name of the domain
may have nothing in common with the FQDN of the gateway (the example
shows instead a common “evros” component).
o evros123# — The password for the user evauth1 created in the AD instance.
o c:\evauthkeytab1 — The output filename (to be eventually copied in the
gateway). The name used as the output file name is arbitrary.
Warning: All parameters in the ktpass command are case sensitive.
To further clarify the use of the ktpass command, the following example shows
how the command can be specified when a second OmniAccess 3500 NLG gateway
(named guard2) is added to the authentication domain:
$ ktpass -princ EVAUTH2/guard2.evros.sample-net.com@EVROS.SAMPLE-NET.COM -
mapuser EVROS\evauth2 -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop
set +desonly -pass evros456# -out C:\evauthkeytab2
Please note the following:
o A separate user account must be created on the Active Directory Server for
every OmniAccess 3500 NLG gateway in the domain. With reference to the
latter example above, the evauth2 account must be created on the ADS before
invoking the ktpass command.
o The user account associated with the gateway does not need to be a domain
administrator account. In general it is preferable to setup a regular user
account, because an administrator account typically requires a more complex
configuration procedure to comply with the security policy of the enterprise.
o Each invocation of the ktpass command causes the credentials of the user
account to change. It is therefore necessary to upload a new keytab file to the
gateway every time the ktpass command is invoked for that gateway.
o To avoid the multiplication of the keytab files uploaded to a given gateway for
a specific AD domain, the name of the keytab file should always be the same
for that gateway-domain pair. This way, when an updated version of the keytab
file is generated and uploaded to the gateway, the previous version of the
same keytab file is immediately overridden.
o The ktpass.exe file is not included by default in Windows Server 2003, but
can be found in the Windows Server 2003 support tools package, distributed
with the Windows Server 2003 CD ROM or available on the web at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-
4E81-B3BE-4E7AC4F0912D&displaylang=en
o The DNS name of the gateway must be associated with the IP address of the
LAN (private) interface.
30