Reference Guide
Kron PAM Administration

Windows Authentication on the Kron PAM GUI

Windows Authentication can be used to log in to the Kron PAM GUI. The required settings are outlined in this section. The following terms are used in the configuration steps:

DomainController: DomainControllerFQDN (Ex: krontech-dc.krontech-new.internal) KronPAMServerHostname: schostnameFQDN (Ex: testsso.krontech-new.internal) DomainName: DomainName (Ex: krontech-new.internal)

Domain Controller Configuration

The following configurations should be set on the Domain Controller:

  1. Create a user (Ex: username: win_auth, password: 123)
  2. Create an SPN (Service Principal Name) for this user, using the following command: setspn -A HTTP/KronPAMServerHostname username (Ex: setspn -A HTTP/testsso.krontech-new.internal ssotest)
  3. Create a ssotest.keytab file using the following command: ktpass /out c:\keytabFileName /mapuser username@DomainName/princ HTTP/KronPAMServerHostname@DomainName /pass password /kvno 0 -ptype KRB5_NT_PRINCIPAL (Ex: ktpass /out c:\ssotest.keytab /mapuser ssotest@krontech-new.internal /princ HTTP/testsso.krontech-new.internal@krontech-new.internal /pass 123 /kvno 0 -ptype KRB5_NT_PRINCIPAL )

Kron PAM Server Configuration

The following configurations should be set on the KronPAM server:

  1. Connect to Kron PAM CLI as the pamuser user.
  2. Move the ssotest.keytab file under $CATALINA_BASE/conf/.
    • The default Catalina base directory is /pam/gui
  3. Create the krb5.ini file in the Tomcat Server under $CATALINA_BASE/conf/ with the following example content:
krb5.ini

  • Add the following lines in pam-gui.service file under /usr/lib/systemd/system/ directory. -Djava.security.krb5.conf=/pam/gui/conf/krb5.ini -Djavax.security.auth.useSubjectCredsOnly=false

Example: Environment="JAVA_OPTS=-Djava.security.krb5.conf=/pam/gui/conf/krb5.ini -Djavax.security.auth.useSubjectCredsOnly=false -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000 -Xmx2048m -Xms256m -Duser.language=en -Duser.region=US -Duser.timezone=Etc/GMT-3 -Dlog4j2.formatMsgNoLookups=true -

Client Browser Configuration

The following configurations should be set on the client’s browser. Configurations made for Internet Explorer (IE) also activate the Edge and Chrome browsers.

For Internet Explorer (IE):

  1. Go to Settings > Internet Options > Security
  2. Select Local Intranet Zone, click the Sites button, check all three options, and click the Advanced button to add the KronPAMServerHostname with HTTPS to this zone. Ex:https://testsso.krontech-new.internal
  3. Select Local Intranet Zone, click the Custom Level button, and select Automatic logon only intranet.

For Firefox:

  1. Type about:config on the address bar, accept the warning and change the network.negotiate-auth.trusted-uris value to KronPAMServerHostname with HTTPS Ex: https://testsso.krontech-new.internal
  2. Restart the computer.
  3. Access the application by typing the Kron PAM Server Hostname on the address bar, without the IP Ex: https://testsso.krontech-new.internal

Kron PAM GUI Configuration

Add the following parameters in the System Config Manager:

  1. Navigate to Administration > System Config. Man.
  2. Add these parameters:
Text

Windows Authentication Checkbox on Web Interface of Kron PAM
Windows Authentication Checkbox on Web Interface of Kron PAM

PREVIOUS
Hardware Security Module (HSM) Integration
NEXT
Windows Authentication on the Kron PAM Desktop Client
Docs powered by Archbee