SiteVision Onlinehelp
Search

How to setup Kerberos authentication

The Browser sends a GET request to your web application (1), which then returns that "negotiate" authentication is required (2).

The Browser will then ask the Kerberos Server to get a so called service ticket (3).
The Browser then send this service ticket, which proves the identity of the caller, and some additional things to the web application (5).

After validating the ticket (6) the user is authenticated.

Required Information

The following information are required from your system administrators.

Active Directory server ip address or hostname.
Your complete domain name in the active directory. (Example.WWW.SENSELOGIC.SE)

Create a Server Name Alias

You have to create a server alias for WebServer to interact with ActiveDirectory for the SSO token validation. To do this, create a user called testsso and set “Password never expires” as checked. Assign a password for the testsso user. This password will be used later.

Create a Service Name

The account you created in the previous section is meant to be used as a Kerberos HTTP service for the Web Server. This is done by using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.

More information about Setspn: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx External link, opens in new window..

Note: You must add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:

setspn -a HTTP/www.senselogic.se testsso


"www.senselogic.se" must be the A-record for the server.

To verify that the association has applied, use (-l) to SPNs :

setspn -l testsso


Note: this command line utility might not be available in your OS. You can always download it from the Microsoft web site.

Initial verification

You can do a basic Kerberos check using kinit tool. The check is preformed from your user account on one of the computers in your network that has access to the KDC (Key Distribution Center). This is normally your Domain Controller in a Windows based network.

kinit testsso@WWW.SENSELOGIC.SE


If the setup is correct you will be prompted for your domain password. You should not receive an error message.

SiteVision Server prerequests

First JCE "Unlimited Strength Java(TM) Cryptography Extension Policy Files" needs to be installed, you can down load JCE from Oracle: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

Unzip the downloaded file and follow the installation instructions from the readme-file.

The SiteVision JVM default installation directory: "sitevision/jre"

If the KDC is a Windows 2008 r2 you also need to force kerberos encryption to AES-256-CTS-HMAC-SHA1-96.
This is done by adding a krb5.conf file in the "sitevision/jre/lib/security" directory containing:

[libdefaults]
default_tkt_enctypes = aes256-cts rc4-hmac
default_tgs_enctypes = aes256-cts rc4-hmac
permitted_enctypes   = aes256-cts rc4-hmac


SiteVision Configuration

Add the Kerberos filter at the authentication configuration. Make sure the filter is placed at the end of the list.

  • The "Domain"-field is the name of the ActiveDirectory domain.
  • Realm is the domain name
  • Service password is the password for the user associated with the Service Name (testsso)
  • KDC (Key Distribution Central) is your Active Directory domain controller.
When the configuration of the Kerberos filter in SiteVision is complete it is possible to verify that your clients are connected to the same domain. More information about this test can be found in the Checklist for clients.

Last updated:

se-sto-pio-sv5-1.sitevision-cloud.net
3.133.128.39