Skip to end of banner
Go to start of banner

Active Directory Single Sign-On

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This Guide describes  how to set automatic Active Directory Single Sign-On.

Created: March 2019

Permalink: https://confluence.wildix.com/x/rABOAg

Step 1. Generate KeyTab file in Active Directory

  • Go to Active Directory Users and Computers 
  • Create a new computer account - “some-name” (In active directory users and computers -> in the domain <Your-domain-name> -> computers -> create a computer “some-name”). A user named “some-name” should not be in this domain

  • To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:

    ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab
setspn -Q HTTP/some-name.example.com

    where

    some-name$@EXAMPLE.COM - the name of the computer in the asset directory (with $);

    + rndpass - the password that will be generated for the computer account, where the domain is written in capital letters.

    If HTTP / srv-nginx.example.com is bound to several computers or users, authentication of Kerberos will not work.


Keytab appears on the disk - d: \ some-name.keytab, this file need to be copy to PBX system for next steps:


Step 2. Upload KeyTab file to PBX

  • Go to WMS Settings -> PBX -> Security
  • Check off Active Directory Single SignOn via Kerberos (Negotiate)

  • Upload KeyTab file previously generated in Active Directory 

    Limitation: Only "0-9", "a-z", "A-Z", "_," '- ", "@", "." characters are allowed in KeyTab file name.

  • Enter Kerberos FQDN of the KeyTab. It contains encoded domain name/ IP address of PBX:

Step 3. Import users

Import users from Active Directory. Consult Documentation 

Step 4. Log in Collaboration

Log in with a user  
on a screw machine connected to AD, log in to the system by a user who has already been imported to PBH.

  • Open the browser and enter the domain name that was configured on the PBH Security page (this name must be resolved to the PBH IP address) . For example, glebka-test1.wildix2016.inc
  • If everything is set up correctly, then you log in automatically in Collaboration under the user that you are logged into on the Windows computer


  • No labels