This Guide describes how to set automatic Active Directory Single Sign-On.
Created: March 2019
Permalink: https://confluence.wildix.com/x/rABOAg
Step 1. Generate KeyTab file in Active Directory
- Go to Active Directory Users and Computers -> Computers
- Create a new computer account. A user named “some-name” should not be in this domain
To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:
ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab setspn -Q HTTP/some-name.example.com
where
some-name$@EXAMPLE.COM - the name of the computer in the asset directory (with $)
+ rndpass - the password that is generated for the computer account, where the domain is written in capital letters
If HTTP / srv-nginx.example.com is bound to several computers or users, authentication of Kerberos will not work- Keytab appears on the disk - d: \ some-name.keytab:
Step 2. Upload KeyTab file to PBX
- Go to WMS Settings -> PBX -> Security
- Check off Active Directory Single SignOn via Kerberos (Negotiate)
Upload KeyTab file previously generated in Active Directory
Limitation: Only "0-9", "a-z", "A-Z", "_," '- ", "@", "." characters are allowed in KeyTab file name.
- Enter Kerberos FQDN of the KeyTab. It contains encoded domain name/ IP address of PBX:
Step 3. Import users from AD
In order to use AD SSO, you need to import users from Active Directory.
Consult Documentation for details.
Step 4. Active Directory SSO
- On Windows machine, connected to AD, log in to the system with a user who was previously imported to PBX
Open the browser and enter the domain name that was configured as Kerberos FQDN (this name must be resolved to PBX IP address). For example, glebka-test1.wildix2016.inc
If everything is set up correctly, then you log in automatically in Collaboration under the user that you are logged into on Windows computer
Browser configuration
Mozilla Firefox
To access the Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.
You need to add the FQDN (fully qualified domain name) of the PBX into the list of trusted URIs:
- network.negotiate-auth.trusted-uris - FQDN of the Server.
In the "Login page" can you find the right FQDN
Internet Explorer
The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.
- First, open the Internet Options from the Tools menu
- Select the Security tab, select the Local intranet and press the Sites button.
- We need to add the FQDN of the PBX to the trusted list.
- Press the Advanced button.
- This opens a dialog where the FQDN of PBX can be added
- In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
- Configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
- Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
- If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
- Select the Advanced tab, scroll down to the Security section - Enable Integrated Windows Authentification
Chrome
In most cases Chrome will use IE config (see above), but you may test SSO by starting the application the following parameter:
- auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server. Example:
|
In the "Login page" can you find the right FQDN
Safari
No additional configuration is needed.
Opera
Opera does not currently support Kerberos authentication.