This Guide describes how to set automatic Active Directory Single Sign-On.
Created: March 2019
Permalink:
Step 1. Generate KeyTab file in Active Directory
- Go to Active Directory Users and Computers
- Create a new computer account - “some-name” (In active directory users and computers -> in the domain <Your-domain-name> -> computers -> create a computer “some-name”). A user named “some-name” should not be in this domain
To create KeyTab file and check spn (service principal name) binding to the computer account, run the following commands with Domain Admin privileges:
ktpass -princ HTTP/some-name.example.com@EXAMPLE.COM -mapuser some-name$@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out d:\some-name.keytab setspn -Q HTTP/some-name.example.com
where
some-name$@EXAMPLE.COM - the name of the computer in the asset directory (with $);
+ rndpass - the password that will be generated for the computer account, where the domain is written in capital letters.
If HTTP / srv-nginx.example.com is bound to several computers or users, authentication of Kerberos will not work.
Keytab appears on the disk - d: \ some-name.keytab, this file need to be copy to PBX system for next steps:
Step 2. Upload KeyTab file to PBX
- Go to WMS Settings -> PBX -> Security
- Check off Active Directory Single SignOn via Kerberos (Negotiate)
Upload KeyTab file previously generated in Active Directory
Limitation: Only "0-9", "a-z", "A-Z", "_," '- ", "@", "." characters are allowed in KeyTab file name.
- Enter Kerberos FQDN of the KeyTab. It contains encoded domain name/ IP address of PBX:
Step 3. Import users
Import users from Active Directory. Consult Documentation
Step 4. Log in Collaboration
Log in with a user
on a screw machine connected to AD, log in to the system by a user who has already been imported to PBH.
- Open the browser and enter the domain name that was configured on the PBH Security page (this name must be resolved to the PBH IP address) . For example, glebka-test1.wildix2016.inc
- If everything is set up correctly, then you log in automatically in Collaboration under the user that you are logged into on the Windows computer