Kerberos (Active Directory) Login

Kerberos is the authentication mechanism used by Microsoft Windows. When Dekho’s authentication method is set to Kerberos, the user’s browser automatically authenticates the user with the Kerberos server and sends an authentication token to Dekho.

The result is the user doesn’t have to enter a username/password. Dekho will automatically know who they are and which roles they have defined in LDAP (Active Directory for a windows system). The users do not have to be setup in the Administration Client, but their LDAP roles must match roles in the Administration Client.

Step 04> Set Authentication to Kerberos (Active Directory) login

Step 05> Set the Keytab Location to the full path to your keytab file, for instance;


A keytab is a file containing pairs of Kerberos principals and encrypted keys.

The Server Principal is the name of host machine where the Dekho application is installed.


Step 06> Set the Server Principal to the Dekho server machine's full domain name, for example;

General Kerberos Configuration

To enable Windows Kerberos authentication in Dekho, start by setting up the domain for the Dekho service. A keytab must be created and copied to the Dekho server.

Step 01> Install windows support tools on the domain controller (If they don’t already exist). This will install the setspn command which you may need for debug purposes. Execute:


Step 02> After running the installer, verify one of the PATH environment variables is this :

C:\Program Files\Support Tools

Step 03> Open a new command prompt window and Enter setspn

Step 04> Create a user on the domain (in Microsoft Active Directory).

Step 05> Load ‘Administrative Tools -> Active Directory Users and Computers’ in Control Panel (or start menu depending on your system)

Step 06> In the user login name, use the Dekho server’s name for example; Dekhopc

Step 07> Make sure you check ‘user cannot change password’ and ‘password never expires’.

Step 08> Create a Service Principal Name (SPN) for the Dekho service, create a keytable for the Dekho user and make it available to the Dekho server. This is done using the ktpass command on the domain controller, then copying the resulting keytable file to the Dekho server.

       ktpass -out <keytable filename>

-princ HTTP/<Dekho server name>.<full domain name>@<Kerberos realm>

-mapUser <domain name>\<Dekho user from step 3>

-mapOp set -pass <password for Dekho user>

-crypto RC4-HMAC


ktpass -out c:\Dekhopc.keytab

-princ HTTP/

-mapUser esri\Dekhopc

-mapOp set -pass mypassword

-crypto RC4-HMAC

Step 09> Copy the file Dekhopc.keytab to the Dekho Server. It can be copied to any directory on the Dekho server.




INFORMATION: The Kerberos realm is your full domain name in uppercase.






INFORMATION: There may already be some SPNs related to the Microsoft Windows hosts that have been added to the domain. You can display those that exist by using the setspn -L command, but you still have to add an HTTP SPN for the Dekho Server. For example; setspn -L Dekhopc would list the SPNs.






INFORMATION: Make sure that you do not have the same SPNs mapping to more than one Microsoft user account. If you map the same SPN to more than one user account, the web browser client can send a NTLM instead of SPNEGO token to Dekho.




Step 10> Add the Dekho URL to the list of “trusted sites” or "Exceptions" in the browser settings. Otherwise browsers will send an NTLM token instead of a Kerberos token. The example is for Internet Explorer and similar is required for the other supported browsers.

Step 11> In Internet Explorer, you must enable single sign-on by opening Tools -> Internet Options -> Advanced -> Enable Integrated Windows Authentication (Requires a restart IE).

Step 12> Browse to the Dekho URL using the host name of the Dekho server, for example;

See here to Troubleshoot Kerberos Configuration for Dekho.

LDAP Login