Configure the following settings when Authentication Type for LDAP and Global Catalog Connections is Kerberos (Required for Cross-Forest Enrollments).

Principal

The Kerberos principal that the CEG Service will use to authenticate to each Active Directory forest for cross-forest WSTEP enrollment. You must use the same Kerberos principal to generate the keytab file used for Kerberos v5 LDAP referrals. 

The value must be a string with the following syntax:

HTTP/<ceg-fqdn>

Where <ceg-fqdn> is the fully qualified domain name (FQDN) of the server hosting Certificate Enrollment Gateway. For example:

HTTP/cegserver1.example.com

Mandatory: Only when cross-forest trust must be supported for WSTEP enrollment with Kerberos authentication.

Keytab File

A keytab file for the domain controller. The keytab file is used to authenticate incoming WSTEP requests.

Mandatory: Only when cross-forest trust must be supported for WSTEP enrollment with Kerberos authentication.

Kerberos Configuration File

A Kerberos configuration file for Kerberos V5 LDAP Referrals.

Mandatory: Only when cross-forest trust must be supported for WSTEP enrollment with Kerberos authentication.

Maximum LDAP Referrals

The maximum number of Kerberos V5 LDAP Referrals to follow. The value must be an integer from 0 to 10.

Mandatory: Yes.