Reference Guide
Kron PAM Administration
Windows Authentication on the KronPAM GUI
windows authentication can be used to log in to the kronpam gui the required settings are outlined in this section the following terms are used in the configuration steps domain controller domaincontrollerfqdn (ex krontech dc krontech new\ internal) kron pam server schostnamefqdn (ex testsso krontech new\ internal) domain name domainname (ex krontech new\ internal ) domain controller configuration the following configurations should be set on the domain controller create a user (ex username win auth, password 123) create an spn (service principal name) for this user, using the following command setspn a http/ kronpamserverhostname username (ex setspn a http/testsso krontech new\ internal ssotest) create an “ssotest keytab” file using the following command ktpass /out c \ keytabfilename /mapuser username @ domainname /princ http/ kronpamserverhostname\@domainname /pass password /kvno 0 ptype krb5 nt principal (ex ktpass /out c \ ssotest keytab /mapuser ssotest @ krontech new\ internal /princ http/ testsso krontech new\ internal @ krontech new\ internal /pass 123 /kvno 0 ptype krb5 nt principal ) kron pam server configuration the following configurations should be set on the single connect server co nnect to kron pam cli as the pamuser user move the “ssotest keytab” file under “$catalina base/conf/” (the default catalina base directory is “u01/netright tomcat”) create the “krb5 ini” file in the tomcat server under “$catalina base/conf/” with the following example content krb5 ini \[libdefaults] default realm = krontech new\ internal default keytab name = file /u01/netright tomcat/conf/ssotest keytab default tkt enctypes = rc4 hmac,aes256 cts hmac sha1 96,aes128 cts hmac sha1 96 default tgs enctypes = rc4 hmac,aes256 cts hmac sha1 96,aes128 cts hmac sha1 96 forwardable=true allow weak crypto=true \[realms] krontech new\ internal = { kdc = krontech dc krontech new\ internal 88 } \[domain realm] krontech new\ internal = krontech new\ internal krontech new\ internal = krontech new\ internal add the following lines in pam gui service file under /usr/lib/systemd/system/ directory djava security krb5 conf=/u01/netright tomcat/conf/krb5 ini djavax security auth usesubjectcredsonly=false example environment="java opts= djava security krb5 conf=/u01/netright tomcat/conf/krb5 ini djavax security auth usesubjectcredsonly=false agentlib\ jdwp=transport=dt socket,server=y,suspend=n,address=8000 xmx2048m xms256m duser language=en duser region=us duser timezone=etc/gmt 3 dlog4j2 formatmsgnolookups=true djava security properties=/u01/kron/security/java security dlog4j configurationfile=/u01/netright tomcat/conf/log4j2 xml dlog4j configurationfile=/u01/netright tomcat/conf/log4j2 xml dlog4j configurationfile=/u01/netright tomcat/conf/log4j2 xml dlog4j configurationfile=/u01/netright tomcat/conf/log4j2 xml dlog4j configurationfile=/u01/netright tomcat/conf/log4j2 xml dlog4j configurationfile=/u01/netright tomcat/conf/log4j2 xml client browser configuration the following configurations should be set on the client’s browser configurations made for internet explorer (ie) also activate the edge and chrome browsers for internet explorer (ie) go to settings > internet options > security select “local intranet zone,” click the “sites” button, check all three options, and click the “advanced” button to add the “kronpamserverhostname” with https to this zone ex\ https //testsso krontech new\ internal select “local intranet zone,” click the “custom level” button, and select “automatic logon only intranet ” for firefox type about\ config on the address bar, accept the warning and change the network negotiate auth trusted uris ” value to “ kronpamserverhostname with https ex https //testsso krontech new\ internal restart the computer access the application by typing the kron pam server hostname on the address bar, without the ip ex https //testsso krontech new\ internal kron pam gui configuration add the following parameters in the system config manager navigate to administration > system config man add these parameters parameters aioc auth windows = true windows auth keytab path = /u01/netright tomcat/conf/ssotest keytab windows auth spn = http/kronpamserverhostname example value http/testsso krontech new\ internal