Enabling WebDAV Access Without Additional Authentication
- 29 Jun 2022
- 1 Minute to read
- Print
- DarkLight
- PDF
Enabling WebDAV Access Without Additional Authentication
- Updated on 29 Jun 2022
- 1 Minute to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
When using WebDAV to access portal files, the files must be accessible without requiring additional authentication. This functionality is enabled using SPNEGO. SPNEGO is a standard specification defined in the Simple and Protected GSS-API Negotiation Mechanism (IETF RFC 2478).
CTERA Portal Support For SPEGNO Authentication
The following configuration is required to enable using WebDAV to access portal files without requiring additional authentication, using SPNEGO:
- On all Windows clients that connect to the portal, as the Active Directory user:
- Change the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
registry entry:- Add a new key: portalSuffix, for example
myportal.com
. - In the new key add a new
DWORD (32-bit) Value
entry, calledhttps
and set the value to1
.
- Add a new key: portalSuffix, for example
- Change the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
registry entry:
Add a newDWORD (32-bit) Value
entry, called1A00
and set the value to0
. - Save the registry.
- Change the
- On all Windows clients that connect to the portal, as a Windows administrator user:
- Change the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
registry entry:- Add a new entry of type
Multi-String Value
- Change the name of the entry to
AuthForwardServerList
- Modify the entry by adding the URL for the portal, specifying just the DNS suffix, for example,
https://*.myportal.com
- Add a new entry of type
- Save the registry.
- Change the
- On Windows 7 clients that connect to the portal, apply the update described in https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392.
- On Mac clients that connect to the portal, configure Kerberos for authentication in the /etc/krb5.conf file.
For example:[domain_realm] .DOMAIN.COM = DOMAIN.COM DOMAIN.COM = DOMAIN.COM [libdefaults] default_realm = DOMAIN.COM dns_lookup.kdc = true forwardable = true noaddresses = true [realms] DOMAIN.COM = { kdc = domain.com:88 }
- Restart all clients.
- Configure the ADFS/Kerberos server as described in https://gusto77.wordpress.com/2015/09/02/apache-tomcat-spnego-authentication-configuration.
Register the SPN using the portal DNS:setspn -A HTTP/portalname.myportal.com user
Create a keytab file:ktpass /out c:\tomcat.keytab /mapuser user@DOMAIN.COM /princ HTTP/portalname.myportal.com@DOMAIN.COM /pass user_password /kvno 0 /pType KRB5_NT_PRINCIPAL
Move the keytab file to the tomcat server:/usr/local/ctera/apache-tomcat/SPNEGO_KEYTAB
- Configure the portal application servers.
- Edit
/usr/local/ctera/apache-tomcat/jaas.config
to match the SPN configured in the Kerberos server.... com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/usr/local/ctera/apache-tomcat/SPNEGO_KEYTAB" principal="HTTP/portalname.myportal.com@DOMAIN.COM" storeKey=true doNotPrompt=true; }; ...
- Set the portal to support SPNEGO:
set /settings/supportSPNEGO true
- If there are Windows 7 clients, on every portal application server, edit /usr/local/ctera/apache-tomcat/conf/server.xml:
sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
- Restart the servers.
- Edit
Was this article helpful?