Contents x
    Using Kerberos and SPNEGO Together
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Using Kerberos and SPNEGO Together

    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    In an environment where single sign-on for a portal is configured for users defined in Microsoft Active Directory, using the Kerberos protocol, as described in Using Active Directory for Single Sign-On, you can also configure access to the portal via WebDAV using SPNEGO.

    Note

    Only one virtual portal can be defined with single sign-on using Kerberos. If the global administrator has set up SSO using Kerebos on another virtual portal, you cannot set SSO using Kerebos on this portal.

    To use both Kerberos and SPNEGO to enable SSO to a portal:

    1. Create a new Active Directory Principal and create a new keytab file for this service principal. For details, follow the instruction in the procedure in Using Active Directory for Single Sign-On.
      Run the following command on the domain controller: ktpass –princ SPN -out path_to_keytab -mapuser account_name@DOMAIN -mapOp set –pass account_password as described in the procedure Using Active Directory for Single Sign-On but where SPN is http/portalname.ctera.me@COMPANY.LOCAL
    2. Import the keytab file into the portal next to the existing keytab files, for example, usr/local/ctera/config
    3. Mnually add using the keytab file to the /usr/local/ctera/apache-tomcat/jaas.config file.
      Note

      You cannot use portal-keytab.sh to add the keytab, as it will overwrite the existing keytab and not add the second keytab, as required.

    Example for the jaas.config file after adding the second keytab, with both keytab entries italicized:

    ServicesPortal {
    com.ctera.jaas.HibernateLoginModule required debug="true"; };
com.sun.security.jgss.initiate {
      com.sun.security.auth.module.Krb5LoginModule required; };
com.sun.security.jgss.accept {
      com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/usr/local/ctera/config/ssoktpass.keytab" principal="cttp/portalname.ctera.me@ADSSL.KZ" storeKey=true doNotPrompt=true;
      com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/usr/local/ctera/config/spnegoktpass.keytab" principal="http/portalname.ctera.me@COMPANY.LOCAL" storeKey=true doNotPrompt=true;
};
com.ctera.accounts.KerberosActiveDirectoryConnector {
      com.sun.security.auth.module.Krb5LoginModule required client=TRUE refreshKrb5Config=true; };
    Was this article helpful?
    What's Next
    Copyright © CTERA Networks Ltd. All Rights Reserved