Create a manual SPN for Kerberos SSO
Applies to censhare Linux Servers, that are not completely joined to the Active Directory Domain.
Overview
What is needed for Kerberos SSO:
Kerberos enabled Unix-based server running censhare-Server
service user in the directory server
keytab file mapped to the service user
Also note: censhare is using GSSAPI for SingleSign-On, for Windows Clients you need to Allow access to the TGT Session cache, please clarify with your information security first if this is feasible.
Unix Server
Install packages for Kerberos
RedHat Linux
yum install krb5-workstation krb5-libs krb5-auth-dialog
SuSE Linux
zypper install krb5-client
Solaris 11
pkg install pkg:/service/security/kerberos-5
configure krb5 with /etc/krb5.conf (/etc/krb5/krb5.conf on Solaris)
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
Directory Server
- Create a new Service User in your Active Directory
2. In the password dialogue only activate:
User cannot change password
Password never expires
3. Open cmd.exe and execute the command:
setspn -A host/censhare-hostname censhare-sso
Please replace "censhare-hostname" with the hostname of your censhare-Server you are connecting to and "censhare-sso" with the Active Directory username you just created.
4. After you set SPN on your user, you will have a new tab for delegations in the user settings for this user.The Delegation for this user is not needed, if you need SSO with the censhare-WebClient this is mandatory.
5. Open cmd.exe again to create a keytab file, which has to be copied to the censhare-Server. For more information on the ktpass command, see here.
ktpass -princ host/censhare-hostname@EXAMPLE.COM -mapuser censhare-sso@EXAMPLE.COM -pass +rndpass -out cenSSO.keytab -pType KRB5_NT_PRINCIPAL
Again replace "censhare-hostname" with the hostname of your censhare-Server you are connecting to and "censhare-sso" with the Active Directory username you just created
censhare-Server
create a custom jaas.conf
corpus@censhare-server:~$ cp ~/css/app/config/jaas.conf ~/cscs/app/config/
and edit the principal with the one you used with setspn
principal="host/censhare-server@EXAMPLE.COM"
as well as the place where you put the keytab file
keyTab="/opt/corpus/cscs/app/config/cenSSO.keytab"
edit the server.xml file if the path of your krb5.conf is different (e.g. in Solaris OS)
<sysproperty key="java.security.krb5.conf" value="/etc/krb5.conf" enabled="true"/>
Use the censhare-Admin to configure Kerberos at "Configuration - Modules - Internal Server Modules - Login by kerberos/LDAP"