Windows Authentication on the KronPAM GUI
Windows Authentication can be used to log in to the KronPAM GUI. The required settings are outlined in this section. The following terms are used in the configuration steps:
Domain Controller: DomainControllerFQDN (Ex: krontech-dc.krontech-new.internal) Kron PAM Server: schostnameFQDN (Ex: testsso.krontech-new.internal) Domain Name: DomainName (Ex: krontech-new.internal)
The following configurations should be set on the Domain Controller:
- Create a user (Ex: username: win_auth, password: 123)
- Create an SPN (Service Principal Name) for this user, using the following command: setspn -A HTTP/KronPAMServerHostname username (Ex: setspn -A HTTP/testsso.krontech-new.internal ssotest)
- Create an âssotest.keytabâ file using the following command: ktpass /out c:\keytabFileName /mapuser username@DomainName/princ HTTP/KronPAMServerHostname@DomainName /pass password /kvno 0 -ptype KRB5_NT_PRINCIPAL (Ex: ktpass /out c:\ssotest.keytab /mapuser ssotest@krontech-new.internal /princ HTTP/testsso.krontech-new.internal@krontech-new.internal /pass 123 /kvno 0 -ptype KRB5_NT_PRINCIPAL )
The following configurations should be set on the Single Connect server:
- Connect to Kron PAM CLI as the pamuser user.
- Move the âssotest.keytabâ file under â$CATALINA_BASE/conf/â. (The default Catalina base directory is âu01/netright-tomcatâ)
- Create the âkrb5.iniâ file in the Tomcat Server under â$CATALINA_BASE/conf/â with the following example content:
- Add the following lines in pam-gui.service file under /usr/lib/systemd/system/ directory -Djava.security.krb5.conf=/u01/netright-tomcat/conf/krb5.ini -Djavax.security.auth.useSubjectCredsOnly=false Example: Environment="JAVA_OPTS=-Djava.security.krb5.conf=/u01/netright-tomcat/conf/krb5.ini -Djavax.security.auth.useSubjectCredsOnly=false -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000 -Xmx2048m -Xms256m -Duser.language=en -Duser.region=US -Duser.timezone=Etc/GMT-3 -Dlog4j2.formatMsgNoLookups=true -Djava.security.properties=/u01/kron/security/java.security -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml -Dlog4j.configurationFile=/u01/netright-tomcat/conf/log4j2.xml
The following configurations should be set on the clientâs browser. Configurations made for Internet Explorer (IE) also activate the Edge and Chrome browsers.
For Internet Explorer (IE):
- Go to Settings > Internet Options > Security
- Select âLocal Intranet Zone,â click the âSitesâ button, check all three options, and click the âAdvancedâ button to add the âKronPAMServerHostnameâ with HTTPS to this zone. Ex:https://testsso.krontech-new.internal
- Select âLocal Intranet Zone,â click the âCustom Levelâ button, and select âAutomatic logon only intranet.â
For Firefox:
- Type about:config on the address bar, accept the warning and change the network.negotiate-auth.trusted-urisâ value to âKronPAMServerHostname with HTTPS Ex: https://testsso.krontech-new.internal
- Restart the computer.
- Access the application by typing the Kron PAM Server Hostname on the address bar, without the IP Ex: https://testsso.krontech-new.internal
Add the following parameters in the System Config Manager:
- Navigate to Administration > System Config. Man.
- Add these parameters:
ďťż