Versions Compared

Old Version 3

changes.mady.by.user Ksenia Babych

Saved on

compared with

New Version 4

changes.mady.by.user Ksenia Babych

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Html
<div id="fb-root"></div>
<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11';
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>

...

Html
 <div class="lang-box-pdf">
	<div>
		<div class="google-lang">
			<div id="google_translate_element">
			</div>
			<script type="text/javascript">
					function googleTranslateElementInit() {
						new google.translate.TranslateElement({pageLanguage: 'en', includedLanguages: 'de,es,fr,it,nl', autoDisplay: false}, 'google_translate_element');
						}
			</script>
			<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>
		</div>
		
		<div class="pdf-button">
			<a href="https://confluence.wildix.com/spaces/flyingpdf/pdfpageexport.action?pageId=38666412" alt="Convert to .pdf" title="Convert to .pdf"><img src="https://confluence.wildix.com/download/attachments/14549012/pdf-button-download-wildix-documentation.png"></a>
		</div>
	</div>
</div>


Info

This Guide describes  describes how to set automatic Active Directory automatic Single Sign-On via Active Directory.

Created: March 2019

Permalink:   https://confluence.wildix.com/x/rABOAg

Table of Contents

Step 1. Generate KeyTab file in Active Directory

  • Go to Active Directory Users and Computers -> Computers
  • Create a new computer account. A user named “some-name” should not be in this domainNote, that this account should not contain a user with the same name

  • To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:

    Code Block
    ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab
Reset SOME-NAME$'s password [y/n]? y
setspn -Q HTTP/some-name.example.com

    where

    some-name$@EXAMPLE.COM - the computer's name of the computer in the asset directory (with $)

    + rndpass - the password that is generated for the computer account, where the domain is written in capital letters

    If HTTP / srvsome-nginxname.example.com is bound to several computers or users, authentication of Kerberos will not work

  • Keytab When KeyTab is generated, it appears on the disk - d: \ some-name.keytab:

Step 2. Upload KeyTab file to PBX

...

Step 4. Active Directory SSO

  • On Windows machinePC, connected to ADActive Directory, log in to the system with a user who was previously imported to  to PBX

  • Open the browser and enter the domain name that was configured as Kerberos FQDN (this Reach PBX via the domain name configured as Kerberos FQDN (the name must be resolved to PBX IP address). For example, glebka-test1.wildix2016.inc inc  

    Note

    Note: Configure your browser to authenticate SSO. Refer to the next chapter Browser configuration.


  • If everything is set up correctly, then you log in automatically in to Collaboration under with the user that you are logged into on in to Windows computerPC

Browser configuration

Mozilla Firefox

To access

...

Firefox settings, enter about:config into the Address bar and press [Enter]

...

to open the list of customizable preferences for the current browser's installation

...

.

You need to add

...

FQDN

...

of your PBX into the list of trusted URIs:

  • network.negotiate-auth.trusted-uris - FQDN of the Server.

...

On "Login

...

Page" can you find the right

...

Internet Explorer

The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.

  • First, open the Internet Options from the Tools menu
  • Select the Security tab, select the Local intranet and press the Sites button.
  • We need to add the FQDN of the PBX to the trusted list.
  • Press the Advanced button.
  • This opens a dialog where the FQDN of PBX can be added
  • In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
  • Configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
  • Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
  • If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
  • Select the Advanced tab, scroll down to the Security section - Enable Integrated Windows Authentification

Chrome

...

for FQDN.

Chrome

To access Chrome settings:

  • auth-server-

    • whitelist

  • whitelist -Allowed FQDN - Set the FQDN of the IdP Server. Example:  

    Code Block
    chrome --auth-server-whitelist="*aai-logon.domain-a.com"

...


On "Login

...

Page" can you find the right

...

Safari

...

for FQDN.

Opera

Opera does not currently support Kerberos authentication.

Html
<div class="fb-like" data-href="https://confluence.wildix.com/x/rABOAg" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div>

...