Create a manual SPN for Kerberos SSO - SysAdmin

Applies to censhare Linux Servers, that are not completely joined to the Active Directory Domain.

Overview

What is needed for Kerberos SSO:

1. Kerberos enabled Unix-based server running censhare-Server

2. service user in the directory server

3. keytab file mapped to the service user

Also note: censhare is using GSSAPI for SingleSign-On, for Windows Clients you need to Allow access to the TGT Session cache, please clarify with your information security first if this is feasible.

Unix Server

• • Install packages for Kerberos

    • RedHat Linux

      yum install krb5-workstation krb5-libs krb5-auth-dialog
      
      

    • SuSE Linux

      zypper install krb5-client
      
      

    • Solaris 11

      pkg install pkg:/service/security/kerberos-5
      
      

  • configure krb5 with /etc/krb5.conf (/etc/krb5/krb5.conf on Solaris)

    
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
    
    [realms]
     EXAMPLE.COM = {
      kdc = kerberos.example.com
      admin_server = kerberos.example.com
     }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
    
    

Directory Server

1. Create a new Service User in your Active Directory

2. In the password dialogue only activate:

• • • User cannot change password

    • Password never expires

3. Open cmd.exe and execute the command:

setspn -A host/censhare-hostname censhare-sso

Please replace "censhare-hostname" with the hostname of your censhare-Server you are connecting to and "censhare-sso" with the Active Directory username you just created.

4. After you set SPN on your user, you will have a new tab for delegations in the user settings for this user.The Delegation for this user is not needed, if you need SSO with the censhare-WebClient this is mandatory. 

5. Open cmd.exe again to create a keytab file, which has to be copied to the censhare-Server. For more information on the ktpass command, see here.

ktpass -princ host/censhare-hostname@EXAMPLE.COM -mapuser censhare-sso@EXAMPLE.COM -pass +rndpass -out cenSSO.keytab -pType KRB5_NT_PRINCIPAL

Again replace "censhare-hostname" with the hostname of your censhare-Server you are connecting to and "censhare-sso" with the Active Directory username you just created

censhare-Server

• • create a custom jaas.conf

    corpus@censhare-server:~$ cp ~/css/app/config/jaas.conf ~/cscs/app/config/
    

    and edit the principal with the one you used with setspn

       principal="host/censhare-server@EXAMPLE.COM"

    as well as the place where you put the keytab file

       keyTab="/opt/corpus/cscs/app/config/cenSSO.keytab"
    
    

  • edit the server.xml file if the path of your krb5.conf is different (e.g. in Solaris OS)

        <sysproperty key="java.security.krb5.conf" value="/etc/krb5.conf" enabled="true"/>
    
    

  • Use the censhare-Admin to configure Kerberos at "Configuration - Modules - Internal Server Modules - Login by kerberos/LDAP"