Reference Guide
Single Connect Administration

Windows Authentication on the Single Connect GUI

5min

Windows Authentication can be used to log in to the Single Connect GUI. The required settings are outlined in this section. The following terms are used in the configuration steps:

Domain Controller: DomainControllerFQDN (Ex: WIN-TEST.singleconnect.com) Single Connect Server: schostnameFQDN (Ex: sc-test.singleconnect.com) Domain Name: DomainName (Ex: singleconnect.com)

Domain Controller Configuration

The following configurations should be set on the Domain Controller:

  1. Create a user (Ex: username: win_auth, password: 123)
  2. Create an SPN (Service Principal Name) for this user, using the following command: setspn -A HTTP/SingleServerHostname username (Ex: setspn -A HTTP/ sc-test.singleconnect.com win_auth)
  3. Create an “sc.keytab” file using the following command: ktpass /out c:\sc.keytab /mapuser usernameFQND /princ HTTP/ schostnameFQDN@domainName /pass password /kvno 0 (Ex:ktpass /out c:\sc.keytab /mapuser [email protected] /princ HTTP/sc-[email protected] /pass 123 /kvno 0)

Single Connect Server Configuration

The following configurations should be set on the Single Connect server:

  1. Establish an SSH connection to Single Connect as the pamuser user.
  2. Move the “sc.keytab” file under “$CATALINA_BASE/conf/”. (The default Catalina base directory is “u01/netright-tomcat”)
  3. Create the “krb5.ini” file in the Tomcat Server under “$CATALINA_BASE/conf/” with the following example content: [libdefaults] default_realm = SINGLECONNECT.COM default_keytab_name = FILE:/u01/netright-tomcat/conf/sc.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] SINGLECONNECT.COM = { kdc = WIN-TEST.singleconnect.com:88 } [domain_realm] SingleConnect.com= SINGLECONNECT.COM .SingleConnect.com= SINGLECONNECT.COM
  4. Add the following lines at the end of the “$CATALINA_BASE/bin/setenv.sh” file: export CATALINA_OPTS=”-Djava.security.krb5.conf=/u01/netright-tomcat/conf/krb5.ini” export CATALINA_OPTS="-Djavax.security.auth.useSubjectCredsOnly=false"

Client Browser Configuration

The following configurations should be set on the client’s browser. Configurations made for the Internet Explorer (IE) also activate the Edge and Chrome browsers.

For Internet Explorer (IE):

  1. Go to Settings > Internet Options > Security.
  2. Select Local Intranet Zone, click the Sites button, check all three options, and click the Advanced button to add the Single Connect Server Name to this zone. Ex: http://sc-test.SingleConnect.com
  3. Select Local Intranet Zone, click the Custom Level button, and select Automatic logon only intranet.

For Firefox:

  1. Type about:config on the address bar, accept the warning, and change the network.negotiate-auth.trusted-uris value to Single Connect Server Hostname Ex: http://sc-test.singleconnect.com
  2. Restart the computer.
  3. Access the application by typing the Single Connect Server Hostname on the address bar, without the IP. Ex: http://sc-test.singleconnect.com

Single Connect GUI Configuration

Add the following parameters in the System Config Manager:

  1. Navigate to Administration > System Config. Man.
  2. Add these parameters: windows.auth.keytab.path = /u01/netright-tomcat/conf/sc.keytab windows.auth.spn = HTTP/SingleConnectServerName Example value: HTTP/sc-test.SingleConnect.com aioc.auth.windows = true



PREVIOUS
Hardware Security Module (HSM) Integration
NEXT
Multitenancy
Docs powered by Archbee