After validating the ticket (6) the user is authenticated.
The following information are required from your system administrators.
Active Directory server ip address or hostname.
Your complete domain name in the active directory. (Example.WWW.SENSELOGIC.SE)
You have to create a server alias for WebServer to interact with ActiveDirectory for the SSO token validation. To do this, create a user called testsso and set “Password never expires” as checked. Assign a password for the testsso user. This password will be used later.
The account you created in the previous section is meant to be used as a Kerberos HTTP service for the Web Server. This is done by using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.
More information about Setspn: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx External link, opens in new window..
Note: You must add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:
setspn -a HTTP/www.senselogic.se testsso
"www.senselogic.se" must be the A-record for the server.
To verify that the association has applied, use (-l) to SPNs :
setspn -l testsso
Note: this command line utility might not be available in your OS. You can always download it from the Microsoft web site.
You can do a basic Kerberos check using kinit tool. The check is preformed from your user account on one of the computers in your network that has access to the KDC (Key Distribution Center). This is normally your Domain Controller in a Windows based network.
kinit testsso@WWW.SENSELOGIC.SE
If the setup is correct you will be prompted for your domain password. You should not receive an error message.
First JCE "Unlimited Strength Java(TM) Cryptography Extension Policy Files" needs to be installed, you can down load JCE from Oracle: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
Unzip the downloaded file and follow the installation instructions from the readme-file.
The SiteVision JVM default installation directory: "sitevision/jre"
If the KDC is a Windows 2008 r2 you also need to force kerberos encryption to AES-256-CTS-HMAC-SHA1-96.
This is done by adding a krb5.conf file in the "sitevision/jre/lib/security" directory containing:
[libdefaults]
default_tkt_enctypes = aes256-cts rc4-hmac
default_tgs_enctypes = aes256-cts rc4-hmac
permitted_enctypes = aes256-cts rc4-hmac
Add the Kerberos filter at the authentication configuration. Make sure the filter is placed at the end of the list.
Last updated: