Page Comparison

...

<div id="fb-root"></div>
<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11';
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>

<div class="fb-like" data-href="https://confluence.wildix.com/x/rABOAg" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div>

 <div class="lang-box-pdf">
	<div>
		<div class="google-lang">
			<div id="google_translate_element">
			</div>
			<script type="text/javascript">
					function googleTranslateElementInit() {
						new google.translate.TranslateElement({pageLanguage: 'en', includedLanguages: 'de,es,fr,it,nl', autoDisplay: false}, 'google_translate_element');
						}
			</script>
			<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>
		</div>
		
		<div class="pdf-button">
			<a href="https://confluence.wildix.com/spaces/flyingpdf/pdfpageexport.action?pageId=38666412" alt="Convert to .pdf" title="Convert to .pdf"><img src="https://confluence.wildix.com/download/attachments/14549012/pdf-button-download-wildix-documentation.png"></a>
		</div>
	</div>
</div>

...

This Guide describes  how to set automatic Active Directory Single Sign-On.

Step 1. Generate KeyTab file in Active Directory

The procedure works the same for Cloud PBX, Hardware and Virtual Machine PBXs. For Cloud PBX, PBX must access AD for sync user only. 

1. Choose an arbitrary FQDN to connect your PBX. Enter name in the following format:

[SERVER].[LOCAL-DOMAIN]

Example: pbx.mycompany.local

2. Go to Active Directory Users and Computers -> Computers

...

and create a new computer

...

account:

Image Added

3. Create KeyTab file associated to this computer and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:

ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab

...

Reset SOME-

...

NAME$'s password [y/n]? y

where

some-name$@EXAMPLE.COM - the computer's name

...

in the asset directory (with $)

+ rndpass - the password that is generated for the computer account, where the domain is written in capital letters

4. You can check that KeyTab / SPN is well associated with following command:

setspn -Q HTTP/some-name.example.com

The correct result is: Existing SPN found
Bad result is: No SPN found/ More than one SPN found

...

...

...

When KeyTab is generated, it appears on the disk - d: \ some-name.keytab:

Image Added

Step 2. Upload KeyTab file to PBX

• Go to WMS Settings -> PBX -> Security
• Check offEnable Active Directory Single SignOn via Kerberos (Negotiate)

• Upload KeyTab file previously generated in Active Directory 

  Note
  Limitation: Only "0-9", "a-z", "A-Z", "_," '- ", "@", "." characters are allowed in KeyTab file name.

  
  

• Enter Kerberos FQDN of the KeyTab. It contains encoded domain name/ IP address of PBX:
  
  

  Image Added
  

  
  

Step 3. Import users from AD

In order to use AD SSO, you need to import users from Active Directory.

Consult Documentation for  for details.

Step 4. Active Directory SSO

• On Windows machinePC, connected to ADActive Directory, log in to the system with a user who was previously imported to  to PBX

• Open the browser and enter Reach PBX via the domain name that was configured as Kerberos configured as Kerberos FQDN (this the name must be resolved to PBX IP address). For example, glebka-test1.wildix2016.inc .inc  

  Note
  Note: Configure your browser to authenticate SSO. Refer to the next chapter Browser configuration.

  
  

• If everything is set up correctly, then you log in automatically in to Collaboration under with the user that you are logged into on in to Windows computerPC

Browser configuration

Mozilla Firefox

To access

...

Firefox settings,

...

enter about:config

...

 into the Address bar and press [Enter]

...

to open the list of customizable preferences for the current browser's installation

...

.

You need to add

...

FQDN

...

of your PBX into the list of trusted URIs:

• network.negotiate-auth.trusted-uris - FQDN of the Server.

...

On "Login

...

Page" can you find the right

...

Internet Explorer

The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.

• First, open the Internet Options from the Tools menu
• Select the Security tab, select the Local intranet and press the Sites button.
• We need to add the FQDN of the PBX to the trusted list.
• Press the Advanced button.
• This opens a dialog where the FQDN of PBX can be added
• In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
• Configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
• Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
• If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
• Select the Advanced tab, scroll down to the Security section - Enable Integrated Windows Authentification

Chrome

...

for FQDN.

Chrome

To access Chrome settings:

• auth-server-

whitelist

• whitelist -Allowed FQDN - Set the FQDN of the IdP Server. Example:  

  Code Block
  chrome --auth-server-whitelist="*aai-logon.domain-a.com"

...

On "Login

...

Page" can you find the right

...

Safari

...

for FQDN.

Opera

Opera does not currently support Kerberos authentication.

...

Debugging

See instructions in case the following error messages are present in wms.log: 

• "No entry HTTP://XXXX found in key table"

Possible solution: Check steps 1, 2 and 3 of the guide. The issue is a wrong keytab.

• "Error accepting security context"

Possible solution: You might need to check if you are connecting to PBX using the correct URL, and if the browser is well configured. 

•  "No user found in LDAP" 

Check the connection logs and find out what is the PrincipalName used for connection: USER@DOMAIN or USER? If there are no logs of the user, the issue could be the auth-server-whitelist.