Enabling WebDAV Access Without Additional Authentication (Using SPNEGO)

When using WebDAV to access portal files, the files must be accessible without requiring additional authentication. This functionality is enabled using SPNEGO. SPNEGO is a standard specification defined in the Simple and Protected GSS-API Negotiation Mechanism (IETF RFC 2478).

CTERA Portal Support For SPEGNO Authentication

The following configuration is required to enable using WebDAV to access portal files without requiring additional authentication, using SPNEGO:

1. On all Windows clients that connect to the portal, as the Active Directory user:
   1. Change the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains registry entry:
      1. Add a new key: portalSuffix, for example myportal.com.
      2. In the new key add a new DWORD (32-bit) Value entry, called https and set the value to 1.
   2. Change the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 registry entry:
      Add a new DWORD (32-bit) Value entry, called 1A00 and set the value to 0.
   3. Save the registry.
2. On all Windows clients that connect to the portal, as a Windows administrator user:
   1. Change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters registry entry:
      1. Add a new entry of type Multi-String Value
      2. Change the name of the entry to AuthForwardServerList
      3. Modify the entry by adding the URL for the portal, specifying just the DNS suffix, for example, https://*.myportal.com
   2. Save the registry.
3. On Windows 7 clients that connect to the portal, apply the update described in https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392.
4. On Mac clients that connect to the portal, configure Kerberos for authentication in the /etc/krb5.conf file.
   For example:

   [domain_realm]
       .DOMAIN.COM = DOMAIN.COM
       DOMAIN.COM = DOMAIN.COM
   [libdefaults]
       default_realm = DOMAIN.COM
       dns_lookup.kdc = true
       forwardable = true
       noaddresses = true
   [realms]
   DOMAIN.COM = {
       kdc = domain.com:88
   }
   

5. Restart all clients.
6. Configure the ADFS/Kerberos server as described in https://gusto77.wordpress.com/2015/09/02/apache-tomcat-spnego-authentication-configuration.
   Register the SPN using the portal DNS: setspn -A HTTP/portalname.myportal.com user
   Create a keytab file: ktpass /out c:\tomcat.keytab /mapuser user@DOMAIN.COM /princ HTTP/portalname.myportal.com@DOMAIN.COM /pass user_password /kvno 0 /pType KRB5_NT_PRINCIPAL
   Move the keytab file to the tomcat server: /usr/local/ctera/apache-tomcat/SPNEGO_KEYTAB
7. Configure the portal application servers.
   1. Edit /usr/local/ctera/apache-tomcat/jaas.config to match the SPN configured in the Kerberos server.

      ...
      com.sun.security.jgss.accept {
      com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/usr/local/ctera/apache-tomcat/SPNEGO_KEYTAB" principal="HTTP/portalname.myportal.com@DOMAIN.COM" storeKey=true doNotPrompt=true;
      };
      ...
      

   2. Set the portal to support SPNEGO: set /settings/supportSPNEGO true
   3. If there are Windows 7 clients, on every portal application server, edit /usr/local/ctera/apache-tomcat/conf/server.xml:

      sslProtocol="TLS"
      sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
      

   4. Restart the servers.