Html |
---|
<div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11'; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> |
...
Html |
---|
<div class="lang-box-pdf"> <div> <div class="google-lang"> <div id="google_translate_element"> </div> <script type="text/javascript"> function googleTranslateElementInit() { new google.translate.TranslateElement({pageLanguage: 'en', includedLanguages: 'de,es,fr,it,nl', autoDisplay: false}, 'google_translate_element'); } </script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script> </div> <div class="pdf-button"> <a href="https://confluence.wildix.com/spaces/flyingpdf/pdfpageexport.action?pageId=38666412" alt="Convert to .pdf" title="Convert to .pdf"><img src="https://confluence.wildix.com/download/attachments/14549012/pdf-button-download-wildix-documentation.png"></a> </div> </div> </div> |
Info |
---|
This Guide describes how to set automatic Active Directory Single Sign-On. Created: March 2019 Permalink: https://confluence.wildix.com/x/rABOAg |
Table of Contents |
---|
Step 1. Generate KeyTab file in Active Directory
- Go to Active Directory Users and Computers Computers -> Computers
- Create a new computer account - “some-name” (In active directory users and computers -> in the domain <Your-domain-name> -> computers -> create a computer “some-name”). A user named “some-name” should not be in this domain
To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:
Code Block ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab setspn -Q HTTP/some-name.example.com
where
some-name$@EXAMPLE.COM - the name of the computer in the asset directory (with $);
+ rndpass - the password that will be is generated for the computer account, where the domain is written in capital letters.
If HTTP / srv-nginx.example.com is bound to several computers or users, authentication of Kerberos will not work.- Keytab appears on the disk - d: \ some-name.keytab
...
- :
Step 2. Upload KeyTab file to PBX
...
- Enter Kerberos FQDN of the KeyTab. It contains encoded domain name/ IP address of PBX:
Step 3. Import users
...
from AD
In order to use AD SSO, you need to import users from Active Directory.
Consult Documentation for details.
Step 4.
...
Active Directory SSO
- On Windows machine, connected to AD, log in to the system
...
- with a user who
...
- was previously imported to PBX
Open the browser and enter the domain name that was configured
on the PBH Security pageas Kerberos FQDN (this name must be resolved to
the PBHPBX IP address). For example, glebka-test1.wildix2016.
incinc
If everything is set up correctly, then you log in automatically in Collaboration under the user that you are logged into on Windows computer
Browser configuration
Mozilla Firefox
To access the Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.
You need to add the FQDN (fully qualified domain name) of the PBX into the list of trusted URIs:
- network.negotiate-auth.trusted-uris - FQDN of the Server.
In the "Login page" can you find the right FQDN
Internet Explorer
The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.
- First, open the Windows computerInternet Options from the Tools menu
- Select the Security tab, select the Local intranet and press the Sites button.
- We need to add the FQDN of the PBX to the trusted list.
- Press the Advanced button.
- This opens a dialog where the FQDN of PBX can be added
- In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
- Configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
- Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
- If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
- Select the Advanced tab, scroll down to the Security section - Enable Integrated Windows Authentification
Chrome
In most cases Chrome will use IE config (see above), but you may test SSO by starting the application the following parameter:
- auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server. Example:
|
In the "Login page" can you find the right FQDN
Safari
No additional configuration is needed.
Opera
Opera does not currently support Kerberos authentication.
Html |
---|
<div class="fb-like" data-href="https://confluence.wildix.com/x/rABOAg" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div> |
...