Using Active Directory for Single Sign-On
You can configure single sign-on with the CTERA Portal, for users defined in Microsoft Active Directory, using the Kerberos protocol. When single sign on is configured, CTERA Agents automatically and transparently authenticate to the CTERA Portal using their Active Directory credentials, upon first login to the PC on which they are installed.
A service principal name (SPN) account on Active Directory uniquely identifies an instance of a service. Before the CTERA Portal can use Kerberos authentication, you must register the SPN on the account object that the CTERA Portal uses to log on and then create a keytab file.
To configure Active Directory for single sign-on with CTERA Portal:
1 Log in to the Windows Domain Controller as an administrator.
2 Create a new account for CTERA Portal, by doing the following:
a Open Active Directory Users and Computers.
b Right-click on the name of the domain to which you want to add the user and click New > User.
The New Object - User dialog box is displayed.
c Fill in the user details: In the User logon name area, in the first field enter a user account, such as cteraportal, and in the second field select the domain.
d Click Next.
e In the Password and Confirm password fields, enter a password for the user.
The password must be at least 8 characters in length and conform to at least 3 out of the following 4 requirements:
• It must contain at least one English uppercase character (A through Z)
• It must contain at least one English lowercase character (a through z)
• It must contain at least one Base 10 digit (0 through 9)
• It must contain at least one non-alphanumeric character (for example, !, $, #, %)
f Clear the User must change password at next logon check box.
g Check the User cannot change password and Password never expires check boxes.
h Click Next.
The summary for the new user is displayed.
i Click Finish.
3 Map the service principal name to the user account that you created and generate a keytab file, by running the following command on the domain controller:
ktpass –princ SPN -out path_to_keytab -mapuser domain\account_name -mapOp set –pass account_password
Where:
• SPN is the Kerberos service principal name.
For example: cttp/portal.example.com@example.com
The SPN syntax is cttp/portal_full_DNS_name@Active_Directory_realm
Note: The Active Directory Kerberos realm must match the CTERA Portal's DNS suffix and the email pattern include only uppercase letters.
• path_to_keytab is the path where you want to store the generated keytab file.
For example, c:\cteraportal.keytab.
Note: The keytab file name must include only uppercase letters.
• domain is the domain NetBIOS name.
For example, myexample.
• account_name is the service account name.
For example, cteraportal.
• account_password is the password associated with the service account.
For example, Password12E4.
For example:
ktpass -princ cttp/”SERVER FQDN”@”DOMAIN FQDN” -mapuser ctera_portal@”DOMAIN FQDN” -mapOp set -pass PASSWORD -out c:\temp\ctera_portal.keytab
To configure Kerberos for single sign on with CTERA Portal:
• Kerberos requires the clocks of the relevant hosts to be synchronized. Ensure that the CTERA Portal server's clock is synchronized with the Active Directory clock, preferably by synchronizing the CTERA Portal server's clock with an NTP.
• In order to authenticate with aes256-cts-hmac-sha1-96, make sure that the Active Directory domain controller policy supports this authentication. If this is not the case, change the ssouser configuration in the Active Directory server, so that the account supports AES 128bit and AES 256 bit encryption.
• Change network security under local group policy on Active Directory and the CTERA Agent workstation.
• Generate a new keytab with AES256 encryption, copy it to the portal and then run ctera-keytab.sh with the new keytab om the portal and klist purge in the CTERA Agent workstation.
• Change the libdefaults section of the krb5.conf:
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
Configuring SSO On the Portal
To enable SSO, you must connect the portal to Active Directory.
To configure SSO on the portal:
1 Enable the keytab file on the CTERA Portal:
a Log in to the CTERA Portal as root, using SSH.
b Copy the keytab file from the Active Directory server to the CTERA Portal server.
c Run the following command: ctera-keytab.sh keytabfile
2 Add the Active Directory server to the CTERA Portal:
a Log in to the portal.
b In the virtual portal administration view, select Settings in the navigation pane.
c Select Directory Settings, under USERS in the Control Panel content page.
The Directory Services page is displayed.
d Click Settings.
The Directory Services Settings window is displayed.
e Specify the following:
Check Enable directory synchronization.
In Directory Type, select Active Directory.
Check Use Kerberos.
In Domain, enter the Active Directory domain.
In Username, enter the username for the Active Directory URL.
In Password, enter the password for the Active Directory URL.
f Click NEXT to the end of the wizard.
g Click FINISH.
SSO is now configured on the CTERA Portal.
