Html |
---|
<div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11'; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> |
...
Html |
---|
<div class="lang-box-pdf"> <div> <div class="google-lang"> <div id="google_translate_element"> </div> <script type="text/javascript"> function googleTranslateElementInit() { new google.translate.TranslateElement({pageLanguage: 'en', includedLanguages: 'de,es,fr,it,nl', autoDisplay: false}, 'google_translate_element'); } </script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script> </div> <div class="pdf-button"> <a href="https://confluence.wildix.com/spaces/flyingpdf/pdfpageexport.action?pageId=38666412" alt="Convert to .pdf" title="Convert to .pdf"><img src="https://confluence.wildix.com/download/attachments/14549012/pdf-button-download-wildix-documentation.png"></a> </div> </div> </div> |
Info |
---|
This Guide describes describes how to set automatic Active Directory automatic Single Sign-On via Active Directory. Created: March 2019 Permalink: https://confluence.wildix.com/x/rABOAg |
Table of Contents |
---|
Step 1. Generate KeyTab file in Active Directory
- Go to Active Directory Users and Computers -> Computers
- Create a new computer account. A user named “some-name” should not be in this domainNote, that this account should not contain a user with the same name
To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:
Code Block ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab Reset SOME-NAME$'s password [y/n]? y setspn -Q HTTP/some-name.example.com
where
some-name$@EXAMPLE.COM - the computer's name of the computer in the asset directory (with $)
+ rndpass - the password that is generated for the computer account, where the domain is written in capital letters
If HTTP / srvsome-nginxname.example.com is bound to several computers or users, authentication of Kerberos will not work- Keytab When KeyTab is generated, it appears on the disk - d: \ some-name.keytab:
Step 2. Upload KeyTab file to PBX
...
Step 4. Active Directory SSO
- On Windows machinePC, connected to ADActive Directory, log in to the system with a user who was previously imported to to PBX
Open the browser and enter the domain name that was configured as Kerberos FQDN (this Reach PBX via the domain name configured as Kerberos FQDN (the name must be resolved to PBX IP address). For example, glebka-test1.wildix2016.inc inc
Note Note: Configure your browser to authenticate SSO. Refer to the next chapter Browser configuration.
If everything is set up correctly, then you log in automatically in to Collaboration under with the user that you are logged into on in to Windows computerPC
Browser configuration
Mozilla Firefox
To access
...
Firefox settings, enter about:config into the Address bar and press [Enter]
...
to open the list of customizable preferences for the current browser's installation
...
.
You need to add
...
FQDN
...
of your PBX into the list of trusted URIs:
- network.negotiate-auth.trusted-uris - FQDN of the Server.
...
On "Login
...
Page" can you find the right
...
Internet Explorer
The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.
- First, open the Internet Options from the Tools menu
- Select the Security tab, select the Local intranet and press the Sites button.
- We need to add the FQDN of the PBX to the trusted list.
- Press the Advanced button.
- This opens a dialog where the FQDN of PBX can be added
- In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
- Configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
- Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
- If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
- Select the Advanced tab, scroll down to the Security section - Enable Integrated Windows Authentification
Chrome
...
for FQDN.
Chrome
To access Chrome settings:
auth-server-
whitelist whitelist -Allowed FQDN - Set the FQDN of the IdP Server. Example:
Code Block chrome --auth-server-whitelist="*aai-logon.domain-a.com"
...
On "Login
...
Page" can you find the right
...
Safari
...
for FQDN.
Opera
Opera does not currently support Kerberos authentication.
Html |
---|
<div class="fb-like" data-href="https://confluence.wildix.com/x/rABOAg" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div> |
...