SiteVision Onlinehelp

How to setup Kerberos authentication

The Browser sends a GET request to your web application (1), which then returns that "negotiate" authentication is required (2).

The Browser will then ask the Kerberos Server to get a so called service ticket (3).
The Browser then send this service ticket, which proves the identity of the caller, and some additional things to the web application (5).

After validating the ticket (6) the user is authenticated.

Required Information


The following information are required from your system administrators.

Active Directory server ip address or hostname.
Your complete domain name in the active directory. (Example.WWW.SENSELOGIC.SE)

Create a Server Name Alias


You have to create a server alias for WebServer to interact with ActiveDirectory for the SSO token validation. To do this, create a user called testsso and set “Password never expires” as checked. Assign a password for the testsso user. This password will be used later.

Create a Service Name


The account you created in the previous section is meant to be used as a Kerberos HTTP service for the Web Server. This is done by using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.

More information about Setspn: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx.

Note: You must add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:

setspn -a HTTP/www.senselogic.se testsso

To verify that the association has applied, use (-l) to SPNs :

setspn -l testsso

Note: this command line utility might not be available in your OS. You can always download it from the Microsoft web site.

Initial verification


You can do a basic Kerberos check using kinit tool. The check is preformed from your user account on one of the computers in your network that has access to the KDC (Key Distribution Center). This is normally your Domain Controller in a Windows based network.

kinit testsso@WWW.SENSELOGIC.SE

If the setup is correct you will be prompted for your domain password. You should not receive an error message.

SiteVision Configuration


Add the Kerberos filter at the authentication configuration. Make sure the filter is placed at the end of the list.
  • The "Domain"-field is the name of the ActiveDirectory domain.
  • Realm is the domain name
  • Service password is the password for the user associated with the Service Name (testsso)
  • KDC (Key Distribution Central) is your Active Directory domain controller.
When the configuration of the Kerberos filter in SiteVision is complete it is possible to verify that your clients are connected to the same domain. More information about this test can be found in the Checklist for clients.
help-cluster-2.sitevision.net