Html |
---|
<div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11'; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> |
...
Html |
---|
<div class="lang-box-pdf"> <div> <div class="google-lang"> <div id="google_translate_element"> </div> <script type="text/javascript"> function googleTranslateElementInit() { new google.translate.TranslateElement({pageLanguage: 'en', includedLanguages: 'de,es,fr,it,nl', autoDisplay: false}, 'google_translate_element'); } </script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script> </div> <div class="pdf-button"> <a href="https://confluence.wildix.com/spaces/flyingpdf/pdfpageexport.action?pageId=38666412" alt="Convert to .pdf" title="Convert to .pdf"><img src="https://confluence.wildix.com/download/attachments/14549012/pdf-button-download-wildix-documentation.png"></a> </div> </div> </div> |
Info |
---|
This Guide describes how to set automatic Single Sign-On via Active Directory. WMS Version: 5.X0 / 4.0X Created: March 2019 Permalink: https://confluence.wildix.com/x/rABOAg |
Table of Contents |
---|
Step 1. Generate KeyTab file in Active Directory
Note |
---|
For Cloud PBX, PBX must access AD for sync user only:
[SERVER].[LOCAL-DOMAIN] Note: This address should resolve the PBX IP address. |
- Go to Active Directory Users and Computers -> Computers
- Create a new computer account. Note, that this account should not contain a user with the same name
Note |
---|
Note: It is recommended to avoid upper case. |
To create KeyTab file associated to this computer and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:
Code Block ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab Reset SOME-NAME$'s password [y/n]? y setspn -Q HTTP/some-name.example.com
where
some-name$@EXAMPLE.COM - the computer's name in the asset directory (with $)
+ rndpass - the password that is generated for the computer account, where the domain is written in capital letters
You can check that KeyTab / SPN is well associated with following command:
Code Block setspn -Q HTTP/some-name.example.com
The correct result is: Existing SPN found
Bad result is: No SPN found/ More than one SPN foundNote If HTTP / some-name.example.com is bound to several computers or users, authentication of Kerberos will not work
- When KeyTab is generated, it appears on the disk - d: \ some-name.keytab:
...
Html |
---|
<div class="fb-like" data-href="https://confluence.wildix.com/x/rABOAg" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div> |
Debugging
See instructions in case the following error messages are present in wms.log:
- "No entry HTTP://XXXX found in key table"
Possible solution: Check steps 1, 2 and 3 of the guide. The issue is a wrong keytab.
- "Error accepting security context"
Possible solution: You might need to check if you are connecting to PBX using the correct URL, and if the browser is well configured.
- "No user found in LDAP"
Check the connection logs and find out what is the PrincipalName used for connection: USER@DOMAIN or USER? If there are no logs of the user, the issue could be the auth-server-whitelist.