ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software



Similar documents
Single Sign-On Using SPNEGO

Kerberos and Windows SSO Guide Jahia EE v6.1

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Configure the Application Server User Account on the Domain Server

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Configuring Single Sign-On for Application Launch in OpenManage Essentials

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

BusinessObjects 4.0 Windows AD Single Sign on Configuration

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

TIBCO ActiveMatrix BPM Single Sign-On

How-to: Single Sign-On

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

IceWarp Server - SSO (Single Sign-On)

Using Active Directory as your Solaris Authentication Source

HRSWEB ActiveDirectory How-To

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Active Directory 2008 Implementation Guide Version 6.3

Using Kerberos tickets for true Single Sign On

Guide to SASL, GSSAPI & Kerberos v.6.0

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

SINGLE SIGN-ON FOR MTWEB

INUVIKA TECHNICAL GUIDE

Integrating OID with Active Directory and WNA

Configuring Active Directory Single Sign-On (AD SSO)

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Active Directory 2008 Implementation. Version 6.410

EMC Documentum Kerberos SSO Authentication

Configuring Single Sign-on for SAP HANA

Comodo Certificate Manager Software Version 4.5

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Kerberos Delegation with SAS 9.4

Centrify Identity and Access Management for Cloudera

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

TopEase Single Sign On Windows AD

Author: Joshua Meckler

TIBCO ActiveMatrix BPM Single Sign-On

EMC Documentum My Documentum for Microsoft SharePoint

McAfee Directory Services Connector extension

Pulse Policy Secure. UAC Solution Guide for SRX Series Services Gateways. Product Release 5.1. Document Revision 1.0 Published:

User Source and Authentication Reference

Administering Avaya one-x Agent with Central Management

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

Configuring IBM Cognos Controller 8 to use Single Sign- On

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

Perforce Helix Threat Detection OVA Deployment Guide

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

Troubleshooting Kerberos Errors

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

Configuring Sponsor Authentication

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Configuring Active Directory Manual Authentication and SSO for BI4

Security Provider Integration Kerberos Authentication

Deploying RSA ClearTrust with the FirePass controller

SAP SINGLE SIGN-ON AND SECURE CONNECTIONS VIA SNC ADAPTER. Author : Matthias Schlarb, REALTECH system consulting GmbH. matthias.schlarb@realtech.

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Blue Coat Security First Steps Solution for Integrating Authentication

CA Performance Center

AWS Directory Service. Simple AD Administration Guide Version 1.0

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

NSi Mobile Installation Guide. Version 6.2

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

BusinessObjects Enterprise XI Release 2

Vintela Single Sign-on for Java. Deployment Guide Standard Edition 3.2

Getting Started Guide

Setup Guide Revision A. WDS Connector

Single Sign On (SSO) solution for BMC Remedy Action Request System

SSO Plugin. Troubleshooting. J System Solutions. Version 3.4

White paper version: 1.2 Date: 29th April 2011 AUTHORS: Vijeth R. Rajoli Krishna Chalamasandra

Vintela Single Sign-on for Java. Deployment Guide JBoss Edition 3.2

NETASQ ACTIVE DIRECTORY INTEGRATION

Aventail Connect Client with Smart Tunneling

CA Nimsoft Service Desk

A COMPLETE GUIDE FOR THE INSTALLATION, CONFIGURATION, AND INTEGRATION OF

Integration Package for Microsoft Office SharePoint3

Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Dell Compellent Storage Center

Aspera Connect User Guide

HP Archiving software for Microsoft Exchange Version 2.2

RoomWizard Synchronization Software Manual Installation Instructions

Transcription:

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Avocent, the Avocent logo, The Power of Being There and DSView are registered trademarks of Avocent Corporation or its affiliates in the U.S. and other countries. All other marks are the property of their respective owners. 2009 Avocent Corporation.

1 Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos To register a DSView 3 server in the DNS: 1. Make sure you have the DSView 3 software installed. 2. Log on to your DNS server as an administrator. 3. Open the DNS management console (Start-Programs-Administrative Tools-DNS). 4. Select a Forward Lookup zone where the DSView 3 server will be registered. NOTE: It is recommended this be the same zone where the Active Directory domain controller computer is registered. 5. Right click over the Lookup zone and select New Host... 6. Enter the DSView 3 server name and its IP Address. NOTE: Make a note of the fully qualified domain name (FQDN). Figure 1: New Host Screen

2 Technical Bulletin To configure an Active Directory (AD) Server to add an SPN user: NOTE: In order to configure the Active Directory Server to add an SPN user, you must have admin rights to the Active Directory Server and the ktpass command must be available. 1. Log on to the AD server as an administrator and run the Active Directory User and Computers snap-in application. 2. Select the login domain. 3. Select the Users folder and right click to select the New User option. Enter the name of the DSView 3 server in the First Name, User Logon Name and User Logon Name (pre-windows 2000) fields. Figure 2: New Object - User Screen 4. Click Next and enter a password that will be used in step 5 for the ktpass command. Check the box next to Password never expires and click Next to complete the Wizard.

Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 3 Figure 3: New Object - User Password Screen 5. Open a console command window and execute the following command to create the file that stores the SPN credentials: ktpass -princ HTTP/<dns_name>@<DOMAIN> -pass <user_password> -mapuser <user_name> -out <keytab_file_name> -ptype KRB5_NT_PRINCIPAL Where: <dns_name> is the FQDN you received when you registered the DSView 3 software in the DNS. <DOMAIN> is the login domain used when you configured the Active Directory Server. <user_password> is the password entered in step 4. <user_name> is the user created in step 3. < keytab_file_name> is the full path and name of the keytab file to store the SPN credentials. Example: ktpass -princ HTTP/sun-ipv6 vista.testlab.avocent.com@testlab.avocent.com -pass password123 - mapuser sun-ipv6-vista -out c:\myfile.keytab -ptype KRB5_NT_PRINCIPAL

4 Technical Bulletin NOTE: The keytab file must be copied to the computer running DSView 3 software in the <%DSView install directory%/bin> directory and it must be renamed kerberos.keytab. To configure the DSView 3 server: NOTE: The Active Directory Server must be configured prior to configuring the DSView 3 server. 1. Copy the keytab file obtained when you configured the Active Directory Server and paste it to the <%Dsview install directory%/bin> directory. 2. Rename it kerberos.keytab. 3. Enable Single Sign-On support by navigating to the following DSView 3 software page: System-DSView Server-DSView name-properties-dsview Client Sessions, then select Enable Integrated Windows Authentication. Figure 4: DSView 3 Server Client Properties Page NOTE: Each DSView 3 server has only one kerberos.keytab; there is only one service principal associated with the DSView 3 server. In case of a Hub - Spoke configuration, you need to repeat all steps for each server. To configure a client browser in Internet Explorer: NOTE: You need Internet Explorer 6 or 7 to configure a client browser. 1. In Internet Explorer, go to Tools-Internet Options. In the Advanced tab, select Security-Enable Integrated Windows Authentication.

Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 5 Figure 5: Internet Options Screen 2. Go to Security-Local Intranet-Custom Level. Under the User Authentication-Logon heading, make sure the radio button next to Automatic logon only in Intranet zone is selected. Click OK.

6 Technical Bulletin Figure 6: Security Settings Screen 3. Click Sites for the at local intranet zone. 4. Click Advanced and add the DSView 3 server name to the list of Web sites, using the following format: https://<dsview_computer_name> 5. Click OK.

Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 7 Figure 7: Local Intranet Screen NOTE: The computer name should not contain any periods. Otherwise, the DSView 3 software will identify the address as an Internet address and will not use SSO. 6. Go to the Connections tab and click Lan Settings. If there is a proxy configured, select the Bypass proxy server for local addresses option. 7. Restart the browser. To configure a client browser in Firefox: NOTE: You need Firefox 2 or 3 to configure a client browser. 1. Type about.config in the URL field. A list of key-value pairs will appear. 2. Type network.negotiate in the Filter field. 3. Add the DSView 3 server computer name URL to the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris keys. 4. Close the page.

8 Technical Bulletin Figure 8: about.config Screen Kerberos tools Kerbtray.exe This application comes with Microsoft Windows 2000 or 2003 Resource Kit Tool. Go to www.microsoft.com/downloads to download the application. Kerbtray allows a user to list and flush the Kerberos tickets loaded in the Windows OS. To configure kerbtray.exe: 1. Download the Windows Resource Kit Tool from the Microsoft Web site and install the resource kit. 2. Go to C:\Program Files\Windows Resource Kits\Tools and execute kerbtray.exe. This will load the monitor as an icon in the Windows taskbar notification area. 3. Double click the Kerbtray icon in the Windows taskbar notification area to list the tickets. You can select the ticket to see the principal name, time flags or encryption type.

Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 9 Figure 9: Kerberos Tickets Screen 4. Right-click on the Kerbtray icon in the Windows taskbar notification area and select Purge Tickets to purge the tickets from the computer. NOTE: If you have purged the tickets, you will need to close and re-open the Kerbtray window to see any changes. kinit This application comes with the Java distribution and allows you to retrieve tickets from the KDC and store tickets in a cache file. You can use kinit to test if the Service Principal Name has been created in the KDC and to test if a keytab file presents any problems. Krb5 configuration file The kinit application requires a Kerberos configuration file to work. The configuration file stores information about the realm and the KDC server. To create a Krb5 configuration file: 1. In the computer where the kinit utility will be executed, go to the following directory: For Windows: c:/windows

10 Technical Bulletin For Unix: /etc/krb5 -or- For Linux: /etc 2. Create a new file with the following name depending on the operating system: For Windows: kbr5.ini -or- -or- For Unix/Linux: krb5.conf 3. Open the file you created and copy the following template to it: Where: [libdefaults] default_realm = <SERVICE_PRINCIPAL_REALM> forwardable = true udp_preference_limit = 1 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac [realms] <SERVICE_PRINCIPAL_REALM> = { kdc = <kdc_ip_address> <SERVICE_PRINCIPAL_REALM> is the login DOMAIN used when you configured the Active Directory Server. It must be in uppercase letters. <kdc_ip_address> is the KDC IP address. In most cases, this address will be the same as the Active Directory Server IP address. For IPV6, it uses the server DNS name. 4. Click Save. To validate the SPN with kinit: Once the DSView 3 server has the krb5.ini file configured, you can test the validity of the SPN. 1. Open a command console window. 2. Go to the <%DSView installation%/j2sdk/bin> directory. 3. Type the following command: Where: kinit <service_principal_name> <service_principal_name> is the FQDN.

Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 11 Example: kinit HTTP/sun-ipv6-vista.testlab.avocent.com@TESTLAB.AVOCENT.COM 4. Kinit will request a password. Type the password you created when you configured the Active Directory Server and press Enter. Kinit will show the message: New ticket is stored in cache file if the SPN and configuration are correct. To validate the keytab file with kinit: 1. Open a command console window. 2. Go to the <%DSView installation%/j2sdk/bin> directory. 3. Type the following command: Where: kinit -k -t <keytab_file_name> <service_principal_name> <keytab_file_name> is the name of the keytab file. <service_principal_name> is the FQDN name. Example: kinit -k -t C:\Program Files\Avocent DSView 3\bin\kerberos.keytab HTTP/sun-ipv6-vista.testlab.avocent.com@TESTLAB.AVOCENT.COM If the SPN and configuraiton are correct, Kinit will show the following message: New ticket is stored in cache file klist This application comes with the Java distribution and allows you to list Kerberos tickets from the command line. To execute the klist command: 1. Open a command console window. 2. Go to the <%DSView installation%/j2sdk/bin> directory. 3. Type the following command to show all the Kerberos tickets for the logged-in user: klist -tickets 4. Type the following command to get current TGT (Ticket-granting ticket) information: klist -tgt

12 Technical Bulletin Appendix A: Troubleshooting Fix for Windows Server 2003 In Windows 2003 you need Service pack 2 or later. The ktpass command doesn't work in earlier versions. See http://support.microsoft.com/kb/919557 for more information. Fix for Windows Server 2008 You need to get the hot fix 227849 from the Microsoft Web site because of existing problems searching the SPN in Active Directory. See http://support.microsoft.com/kb/951191 for more information. Kinit returns error message: Client not found in Kerberos database(6) If kinit returns an error message (6), it means that the Service Principal name is not found in the Kerberos database. To fix the issue, check the following: Check that the SPN you created matches the SPN in the kinit command. Note that the SPN is case sensitive. It is recommended that the SPN HTTP service is defined in uppercase letters, that the computer DNS in defined in lowercase letters and the KDC realm is defined in uppercase letters. Make sure that the user account name you created matches the SPN. Once you run the ktpass command, the Windows account name is changed from the computer name to the SPN. You can check this by browsing the Active Directory user account properties. Check that there is no other SPN defined in the Kerberos database with the same name as the one you created. You can do this by running the following command: ldifde -f < output_txt_file> -l serviceprincipalname -r "(serviceprincipalname=http/*)" -p subtree Where: < output_txt_file> is the file name where the command ldifde will store the result. Check the output file to look for duplicate SPNs. In windows 2008 you can run the command setspn. setspn -x This command only returns duplicate SPNs. If duplicate SPNs are found, delete the user account with duplicate SPNs in Active Directory and create a new user account. Kinit returns error message Pre-authentication information was invalid (24) If kinit returns an error message (24), the password stored in the keytab file does not match the user account password. Make sure the password entered for the user created in Active Directory is the same as the password passed as a parameter of the ktpass command.

Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 13 Kerbtray doesn't show any ticket for my SPN in the client If SSO fails, check if the Kerbtray utility in the computer running your browser has any tickets with your Service Principal Name. If there is no ticket, do the following: Check that the DNS name matches the DSView 3 server name. Check that the client is getting the correct DSView 3 server name from the DNS by using the nslookup command: nslookup <DSView_server_FQDN> Make sure that an entry does not exist for the DSView 3 server in the c:/windows/system/ drivers/etc/host file. This will prevent the client from getting the correct DSview 3 software DNS name from the network. Make sure that the client and the Active Directory server have the same computer time. You can configure the computers to synchronize their time with an external Time Server. See http:/ /support.microsoft.com/kb/816042 for more information. The computer client got the ticket but SSO fails If the computer client has a Kerberos ticket but accessing DSView 3 software with SSO fails, do the following: Make sure that the kerberos.keytab file in the computer running DSView 3 software is correct. If you change the SPN or the account password, you need to create a new keytab file and transfer this new file to the computer running DSView 3 software. Make sure that the client and the Active Directory server have the same computer time. You can configure the computers to synchronize their time with an external Time Server. See http:/ /support.microsoft.com/kb/816042 for more information. Check that the client is getting the correct DSView 3 server name from the DNS by using the nslookup command like: nslookup <DSView_server_FQDN>

For Technical Support: www.avocent.com/support

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information