Active Directory Single Sign-On

Step 1. Generate KeyTab file in Active Directory

• Go to Active Directory Users and Computers -> Computers
• Create a new computer account. A user named “some-name” should not be in this domain

• To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:

  ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab
  setspn -Q HTTP/some-name.example.com

  where

  some-name$@EXAMPLE.COM - the name of the computer in the asset directory (with $)

  + rndpass - the password that is generated for the computer account, where the domain is written in capital letters
  
  If HTTP / srv-nginx.example.com is bound to several computers or users, authentication of Kerberos will not work

• Keytab appears on the disk - d: \ some-name.keytab:

Step 2. Upload KeyTab file to PBX

• Go to WMS Settings -> PBX -> Security
• Check off Active Directory Single SignOn via Kerberos (Negotiate)

• Upload KeyTab file previously generated in Active Directory 

  Limitation: Only "0-9", "a-z", "A-Z", "_," '- ", "@", "." characters are allowed in KeyTab file name.

• Enter Kerberos FQDN of the KeyTab. It contains encoded domain name/ IP address of PBX:

Step 3. Import users from AD

In order to use AD SSO, you need to import users from Active Directory.

Consult Documentation for details.

Step 4. Active Directory SSO

• On Windows machine, connected to AD, log in to the system with a user who was previously imported to  PBX

• Open the browser and enter the domain name that was configured as Kerberos FQDN (this name must be resolved to PBX IP address). For example, glebka-test1.wildix2016.inc 

• If everything is set up correctly, then you log in automatically in Collaboration under the user that you are logged into on Windows computer

Browser configuration

Mozilla Firefox

To access the Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.

You need to add the FQDN (fully qualified domain name) of the PBX into the list of trusted URIs:

• network.negotiate-auth.trusted-uris - FQDN of the Server.

In the "Login page" can you find the right FQDN

Internet Explorer

The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.

• First, open the Internet Options from the Tools menu
• Select the Security tab, select the Local intranet and press the Sites button.
• We need to add the FQDN of the PBX to the trusted list.
• Press the Advanced button.
• This opens a dialog where the FQDN of PBX can be added
• In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
• Configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
• Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
• If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
• Select the Advanced tab, scroll down to the Security section - Enable Integrated Windows Authentification

Chrome

In most cases Chrome will use IE config (see above), but you may test SSO by starting the application the following parameter:

• auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server. Example:

In the "Login page" can you find the right FQDN

Safari

No additional configuration is needed.

Opera

Opera does not currently support Kerberos authentication.