Skip to main content
Skip table of contents

Create a manual SPN for Kerberos SSO

Applies to censhare Linux Servers, that are not completely joined to the Active Directory Domain.

Overview

What is needed for Kerberos SSO:

  1. Kerberos enabled Unix-based server running censhare-Server

  2. service user in the directory server

  3. keytab file mapped to the service user

Also note: censhare is using GSSAPI for SingleSign-On, for Windows Clients you need to Allow access to the TGT Session cache, please clarify with your information security first if this is feasible.

Unix Server

    • Install packages for Kerberos

      • RedHat Linux

        yum install krb5-workstation krb5-libs krb5-auth-dialog

      • SuSE Linux

        zypper install krb5-client

      • Solaris 11

        pkg install pkg:/service/security/kerberos-5

    • configure krb5 with /etc/krb5.conf (/etc/krb5/krb5.conf on Solaris)

      
      [logging]
       default = FILE:/var/log/krb5libs.log
       kdc = FILE:/var/log/krb5kdc.log
       admin_server = FILE:/var/log/kadmind.log
      
      [libdefaults]
       default_realm = EXAMPLE.COM
       dns_lookup_realm = false
       dns_lookup_kdc = false
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true
      
      [realms]
       EXAMPLE.COM = {
        kdc = kerberos.example.com
        admin_server = kerberos.example.com
       }
      
      [domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

Directory Server

  1. Create a new Service User in your Active Directory

2. In the password dialogue only activate:

      • User cannot change password

      • Password never expires

3. Open cmd.exe and execute the command:

setspn -A host/censhare-hostname censhare-sso

Please replace "censhare-hostname" with the hostname of your censhare-Server you are connecting to and "censhare-sso" with the Active Directory username you just created.

4. After you set SPN on your user, you will have a new tab for delegations in the user settings for this user.The Delegation for this user is not needed, if you need SSO with the censhare-WebClient this is mandatory. 


5. Open cmd.exe again to create a keytab file, which has to be copied to the censhare-Server. For more information on the ktpass command, see here.

ktpass -princ host/censhare-hostname@EXAMPLE.COM -mapuser censhare-sso@EXAMPLE.COM -pass +rndpass -out cenSSO.keytab -pType KRB5_NT_PRINCIPAL

Again replace "censhare-hostname" with the hostname of your censhare-Server you are connecting to and "censhare-sso" with the Active Directory username you just created

censhare-Server

    • create a custom jaas.conf

      corpus@censhare-server:~$ cp ~/css/app/config/jaas.conf ~/cscs/app/config/
      

      and edit the principal with the one you used with setspn

         principal="host/censhare-server@EXAMPLE.COM"

      as well as the place where you put the keytab file

         keyTab="/opt/corpus/cscs/app/config/cenSSO.keytab"

    • edit the server.xml file if the path of your krb5.conf is different (e.g. in Solaris OS)

          <sysproperty key="java.security.krb5.conf" value="/etc/krb5.conf" enabled="true"/>

    • Use the censhare-Admin to configure Kerberos at "Configuration - Modules - Internal Server Modules - Login by kerberos/LDAP"


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.