Reference Guide
Kron PAM Administration
Windows Authentication on the Kron PAM GUI
5min
Windows Authentication can be used to log in to the Kron PAM GUI. The required settings are outlined in this section. The following terms are used in the configuration steps:
Domain Controller: DomainControllerFQDN (Ex: WIN-TEST.singleconnect.com) Kron PAM Server: schostnameFQDN (Ex: sc-test.singleconnect.com) Domain Name: DomainName (Ex: singleconnect.com)
The following configurations should be set on the Domain Controller:
- Create a user (Ex: username: win_auth, password: 123)
- Create an SPN (Service Principal Name) for this user, using the following command: setspn -A HTTP/SingleServerHostname username (Ex: setspn -A HTTP/ sc-test.singleconnect.com win_auth)
- Create an “sc.keytab” file using the following command: ktpass /out c:\sc.keytab /mapuser usernameFQND /princ HTTP/ schostnameFQDN@domainName /pass password /kvno 0-ptype KRB5_NT_PRINCIPAL (Ex:ktpass /out c:\sc.keytab /mapuser win_auth@singleconnect.com /princ HTTP/sc-test.singleconnect.com@singleconnect.com /pass 123 /kvno-ptype KRB5_NT_PRINCIPAL)
The following configurations should be set on the Single Connect server:
- Establish an SSH connection to Kron PAM as the pamuser user.
- Move the “sc.keytab” file under “$CATALINA_BASE/conf/”. (The default Catalina base directory is “u01/netright-tomcat”)
- Create the “krb5.ini” file in the Tomcat Server under “$CATALINA_BASE/conf/” with the following example content: [libdefaults] default_realm = SINGLECONNECT.COM default_keytab_name = FILE:/u01/netright-tomcat/conf/sc.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true allow_weak_crypto=true [realms] SINGLECONNECT.COM = { kdc = WIN-TEST.singleconnect.com:88 } [domain_realm] SingleConnect.com= SINGLECONNECT.COM .SingleConnect.com= SINGLECONNECT.COM
- Add the following lines in pam-gui.service file under /usr/lib/systemd/system directory -Djava.security.krb5.conf=/u01/netright-tomcat/conf/krb5.ini -Djavax.security.auth.useSubjectCredsOnly=false Example Environment="JAVA_OPTS=-Djava.security.krb5.conf=/u01/netright-tomcat/conf/krb5.ini -Djavax.security.auth.useSubjectCredsOnly=false -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000 -Xmx2048m -Xms256m -Duser.language=en -Duser.region=US -Duser.timezone=Etc/GMT-3 -Dlog4j2.formatMsgNoLookups=true -Djava.security.properties=/u01/kron/security/java.security -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml"
The following configurations should be set on the client’s browser. Configurations made for Internet Explorer (IE) also activate the Edge and Chrome browsers.
For Internet Explorer (IE):
- Go to Settings > Internet Options > Security.
- Select Local Intranet Zone, click the Sites button, check all three options, and click the Advanced button to add the Kron PAM Server Name to this zone. Ex: http://sc-test.SingleConnect.com
- Select Local Intranet Zone, click the Custom Level button, and select Automatic logon only intranet.
For Firefox:
- Type about:config on the address bar, accept the warning and change the network.negotiate-auth.trusted-uris value to Kron PAM Server Hostname Ex: http://sc-test.singleconnect.com
- Restart the computer.
- Access the application by typing the Kron PAM Server Hostname on the address bar, without the IP. Ex: http://sc-test.singleconnect.com
Add the following parameters in the System Config Manager:
- Navigate to Administration > System Config. Man.
- Add these parameters: windows.auth.keytab.path = /u01/netright-tomcat/conf/sc.keytab windows.auth.spn = HTTP/SingleConnectServerName Example value: HTTP/sc-test.SingleConnect.com aioc.auth.windows = true