INUVIKA TECHNICAL GUIDE - Inuvika Documentation › active_directory_sso... · apt install−y ntp service ntp stop ... kdc_timesync =1 ccache_type =4 forwardable = true proxiable

INUVIKA TECHNICAL GUIDEActive Directory SSO using Kerberos

Version 1.8May 11, 2020

Passing on or copying of this document, use and communication of its content not permittedwithout Inuvika written approval

INUVIKA TECHNICAL GUIDE Active Directory SSO using Kerberos

PREFACEThis document explains the steps to implement a Single Sign-On for users of Inuvika OVD with aMicrosoft Active Directory integration using Kerberos.

Page 2


HISTORYVersion Date Comments1.8 2019-04-24 Updates for OVD 2.7 Added tabs and backwards compatibility.1.7 2017-10-18 Updates for OVD 2.5. Removing CAS1.6 2017-07-18 Reformatting1.5 2017-01-02 Updates for OVD 2.31.4 2016-08-30 Corrections for config files1.3 2016-06-16 Updates for OVD 2.01.2 2016-05-18 Documentation clarifications and additions for CentOS/RHEL1.1 2016-03-14 Fix typos and clarifications1.0 2015-11-17 Initial version

Page 3


TABLE OF CONTENTS1 Introduction 51.1 Active Directory and Kerberos Auth Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.1.1 Understanding Kerberos Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 OVD and SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Pre-Requisites 62.1 Server Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Session Manager IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Workstation and Domain Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.4 Client Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.5 Integrating Microsoft Active Directory with OVD . . . . . . . . . . . . . . . . . . . . . . . . . 73 Network Overview 84 Session Manager Configuration 94.1 FQDN and DNS Compatiblity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.1.1 System Hostname Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.1.2 Active Directory DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.2 Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.3 Install and Configure Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.3.1 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.4 Joining the Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.5 Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.6 Create a Service Ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.7 Apache and Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.7.1 Validate the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.8 Kerberos and OVD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 OWA HTML5 Client 266 Enterprise Desktop Client 276.1 Workstation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.1.1 AllowTGTSessionKey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.1.2 Enable DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.2 EDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Troubleshooting 307.1 Validate Test Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307.2 DNS Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307.3 Clock Skew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317.4 OWA HTML5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317.5 EDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317.6 Static IP Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317.7 Apache Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Page 4


1 INTRODUCTION1.1 ACTIVE DIRECTORY AND KERBEROS AUTH METHODThe Kerberos authentication protocol provides a mechanism for authentication - and mutual authentica-tion - between a client and a server, or between one server and another server.Microsoft’s Active Directory is an implementation of a Kerberos authentication realm. Kerberos enabledservers with the authentication realm will allow users to sign-in to Windows workstations that are joinedto the Microsoft Domain and to access resources in that domain. A user does not need to provide theauthentication credentials again once signed-in. This is known as Microsoft Single Sign-On (SSO).A detailed overview of Microsoft and Kerberos authentication can be found at the Microsoft kerberosauthentication guide.

1.1.1 UNDERSTANDING KERBEROS CONCEPTSThe Kerberos authentication protocol is standard on all versions of Windows. A typical Kerberos imple-mentation consists of 3 server entities:

• Key Distribution Center (KDC) which typically is installed on the Domain Controller (the primaryMicrosoft Active Directory server);• A client workstation that is a part of the domain; and• A server with the desired service to access.

An overview of a typical Kerberos workflow can be found at the Microsoft kerberos guide

1.2 OVD AND SSOThe default Inuvika OVD authentication method requires a login and password and uses the internalMySQL database to store the user credentials. OVD can also be configured to use external authenticationservices such as LDAP and Microsoft Active Directory.A Single Sign-Onmechanism aims to authenticate a user only once on a secure authorization platform andthen connect the user to the various external resources by re-using the credentials. OVD is compatiblewith several SSO solutions , such as SAML2.Integrating OVD with Active Directory SSO will provide users a way to login to an OVD session withoutsharing any login details; instead, the credentials previously delivered by Active Directory during theinitial authentication process, will be re-used. The following sections describe the configuration processthat enables OVD to use SSO with Active Directory.

1.3 RELATED DOCUMENTATIONThe following OVD Enterprise documentation is available:

• Microsoft Active Directory Integration Guide• Administration Guide• SAML 2.0 Configuration Guide

Page 5

https://technet.microsoft.com/en-us/library/cc780469%28v=ws.10%29.aspx

https://technet.microsoft.com/en-us/library/cc780469%28v=ws.10%29.aspx

https://msdn.microsoft.com/en-us/library/bb742516.aspx

https://docs.inuvika.com/microsoft_active_directory_integration_guide/

https://docs.inuvika.com/administration_guide/

https://docs.inuvika.com/saml_2.0_configuration_guide/


2 PRE-REQUISITES2.1 SERVER ENVIRONMENTThe server environment must include a Microsoft Domain Controller as well as a typical OVD server farm.The Microsoft Domain Controller (DC) must have the following characteristics:

• Active Directory is installed and functional• DNS Server is installed and functional• Configured as an NTP host server• Microsoft functional level 2008R2, or 2012R2

The OVD server farm must be able to access the Domain Controller and vice-versa. The OVD farmconsists of the following:• A server that has the OVD Session Manager, Web Access and Admin Console• An OVD Application Server (ApS), either Windows or Linux or both• An OVD File Server (OFS)

Note- If OVD was configured to use the internal authentication method, any publica-tions will need to recreated after changing the authentication method. - It isimportant to perform backups of your running OVD farm and Microsoft ActiveDirectory server prior to executing any integration steps outlined from thispoint onwards. It is preferable to test your integration by cloning the servers orto re-create a new isolated environment so that you can conduct comprehen-sive testing of the OVD SSO integration. An isolated environment is requiredso that your production environment will not recognize the cloned DomainController to avoid any negative Domain Controller policy propagation. - TheApS and OFS cannot be installed on the same server as the Session Manager.There will be a configuration conflict otherwise which will prevent the systemfrom working correctly. - All passwords are case sensitive

2.2 SESSIONMANAGER IP CONFIGURATIONThe Session Manager IP address may be established either by using DHCP or by using a static IPconfiguration. In the case that a DHCP configuration is used and the DHCP service is not provided by theActive Directory server, the following must be ensured:

• The DHCP server must always provide the same IP to the Session Manager (MAC address match)• The DHCP server must provide the Session Manager with the IP address of the active Directoryserver as the primary DNS server

It is highly recommended to perform the above steps before proceeding further in the documentation.Ifit is not possible to validate the above steps then a possible workaround is to configure the SessionManager with a static IP address.

Page 6


2.3 WORKSTATION AND DOMAIN ACCOUNTSSO integration requires that the user login with a user account managed by Microsoft Active Directoryand also that the workstation is joined to the domain.

2.4 CLIENT COMPATIBILITYThe SSO feature is compatible with OVD clients running on a Windows workstation that is joined to theActive Directory domain. SSO is compatible with the OVD Enterprise Desktop Client and OVD Web Accessclients using a Windows workstation. It is not compatible with the Enterprise Mobile Client (Android, iOS)or the Enterprise Desktop Client on Linux and Mac platforms or the Web Access clients running on Linuxor Mac.

2.5 INTEGRATING MICROSOFT ACTIVE DIRECTORY WITH OVDOVD must be configured to use the Active Directory authentication method. Please refer to the MicrosoftActive Directory Integration Guide for detailed instructions. For information about the “Domain IntegrationSettings” in the OVD Administration Console, please refer to the OVD Administration Guide. In the DomainUsers section of the configuration page, ensure that the Use Internal method to handle users in OVDSessions option is selected. The Use Active Directory to handle users in OVD sessions option is notcompatible with Single Sign-On.After changing the authentication method, users must be assigned to the relevant user groups andpublications created so that they can create a session. Session Data and user profiles that were createdwhen Internal Authentication was enabled will no longer be accessible after switching to Active Directory.After creating the publications, verify that users can create access OVD correctly by having them login inand confirm that they see the same applications as before the modifications for Active Directory.

Page 7



https://docs.inuvika.com/administration_guide/

https://docs.inuvika.com/administration_guide/#domain-users

https://docs.inuvika.com/administration_guide/#domain-users


3 NETWORK OVERVIEW

Figure 1: A standard OVD Network with a Microsoft Domain Controller

NoteIn the figure above and throughout the example, the Microsoft Domain Con-troller is dc.test .demo and Session Manager is osm.test.demo . The Win-dows domain is test .demo .

Page 8


4 SESSIONMANAGER CONFIGURATIONThe Session Manager support for Windows SSO is based on using Samba to manage the Kerberoskeytab , which is a file containing pairs of Kerberos principals and encrypted keys, and the krb5−usersoftware which provides basic programs to authenticate using MIT Kerberos. The following sectionsdescribe how to setup Samba on the Session Manager server to provide this capability.

4.1 FQDN AND DNS COMPATIBLITYWindows Kerberos requires the use of Fully Qualified Domain Name (FQDN), it will not work with IPaddresses. Each server in a Kerberos authentication realm must be assigned a FQDN that is forward-resolvable. The Kerberos protocol also expects the server’s FQDN to be reverse-resolvable. The reverseand forward lookup for a FQDN can be tested using the nslookup command.

4.1.1 SYSTEM HOSTNAME DEFINITIONBefore proceeding, make sure that the Session Manager server is configured correctly by entering thefollowing commands and checking that the response is as expected:

• hostname - the expected response is osm• hostname −f - the expected response is osm.test.demo

If either of the responses is not as expected, follow the steps below to correct the configuration and thenretest:1. Make sure the system hostname is defined correctly (osm) and does not contain the network/do-main name (test.demo) by editing the file /etc/hostname to define osm as hostname.

2. Edit the /etc/hosts file and ensure it contains the following lines, using the IP address and SessionManager FQDN applicable to your environment:192.168.0.201 osm. tes t .demo osm

3. If you made any modification to the hostname configuration file or the /etc/hosts file, pleasereboot your server.4. After reboot make sure the expected response is obtained for the hostname and hostname −fcommands

NoteWhen configuring the hostname for your environment, the domain specifiedin the hostname should be the Windows domain name defined by the ActiveDirectory Domain Controller.

4.1.2 ACTIVE DIRECTORY DNSUsing the DNS server that is provided on the Active Directory server simplifies the requirements forFQDN when using Kerberos. To check that the DNS server is working correctly, perform the following

Page 9


steps:1. Open the /etc/resolv.conf file on the Session Manager server and ensure that the name server isthe Domain Controller’s IP address. If not then:

(a) For a DHCP configuration, go to section Session Manager IP Configuration and check theconfiguration is correct.(b) For a static IP configuration, change the system primary DNS to be the Active Directory Domaincontroller IP. For further information refer to the Static IP Address Configuration section.nameserver 192.168.0.200search tes t .demo

2. Save the file and verify that the name resolution works.ping tes t .demo

4.2 TIME SYNCHRONIZATIONTime Synchronization is critical for Kerberos authentication to work. The Domain Controller should beconfigured as the local network’s time server (NTP server). Configure the Session Manager server tosynchronize with the Domain Controller, and the Domain Controller to sync each hour against a reliableoutside source.Make sure the clock time of the Domain Controller, the client workstation and Session Manager serverare in sync. If the time difference is greater than five minutes, Kerberos may not work correctly.NTPD is a Linux software service to synchronize the time over the network using NTP (Network TimeProtocol). This package should be installed and configured on the Session Manager server.1. Install the package using the following commands:

• For Ubuntuapt i n s t a l l −y ntpserv ice ntp stop

• For CentOS / RHEL 7yum i n s t a l l ntpserv ice ntpd stop

2. Synchronize the time by using the following command:ntpdate dc . tes t .demo

3. Open the /etc/ntp.conf file(a) comment all the lines starting with server# more information#server 0 .ubuntu . pool . ntp . org#server 1 .ubuntu . pool . ntp . org

Page 10


#server 2 .ubuntu . pool . ntp . org#server 3 .ubuntu . pool . ntp . org#Use Ubuntu ' s ntp server as a fa l lback#server ntp . ubuntu .com(b) then set the Domain Controller as the ntp server

server dc . tes t .demo(c) Restart the service

• For Ubuntuserv ice ntp s ta r t

• For CentOS / RHEL 7serv ice ntpd s ta r t

4.3 INSTALL AND CONFIGURE KERBEROSOn the Session Manager server, install and configure the Kerberos package called Krb5−user . Thenconfigure Kerberos to authenticate in the Active Directory domain.1. Install the Kerberos package

• For Ubuntuapt i n s t a l l −y krb5−user

• For CentOS / RHEL 7yum i n s t a l l krb5−workstation

2. Backup the Kerberos configuration filemv / etc / krb5 . conf / etc / krb5 . conf . old

3. Create a new file called /etc/krb5.conf and copy & paste the following lines into the file:[ l i bde fau l t s ]default_realm=TEST .DEMOkdc_timesync = 1ccache_type = 4forwardable = trueproxiable = truefcc−mit−t i c k e t f l a g s = truedefault_keytab_name = F ILE : / etc / krb5 . keytab[ realms ]tes t .demo = {kdc = dc . tes t .demo

Page 11


master_kdc = dc . tes t .demoadmin_server = dc . tes t .demodefault_domain = tes t .demo}[ domain_realm ]tes t .demo = TEST .DEMO[ logging ]kdc = F ILE : / var / log / krb5 / krb5kdc . log(a) Replace dc.test .demo by the FQDN of the Domain Controller of your Active Directory domain(b) Replace test .demo by the Active Directory domain name(c) Replace TEST.DEMO by the Active Directory domain name in upper case characters

4. Create the corresponding log directory /var/log/krb5 corresponding to the configuration file entry:mkdir −p / var / log / krb5touch / var / log / krb5 / krb5kdc . logtouch / var / log / krb5 /kadmind . log

4.3.1 VERIFICATIONTo verify that the installation and configuration were successful, perform the following test using kinit :k i n i t john@TEST .DEMOPassword for john@TEST .DEMO:

NoteYou can use any Active Directory account for the test with or without the realm(user or user@DOMAIN). In the above example, the user is john.

Check that the Ticket Granting Ticket (TGT) is correctly configured by using the following commands:k l i s tInformation similar to that shown below should be displayed:T icket cache : F ILE : / tmp/ krb5cc_0Default p r inc ipa l : john@TEST .DEMOVal id s ta r t ing Expires Serv ice pr inc ipa l07/20/15 16:08:51 07/21/15 02:08:54 krbtgt / TEST [email protected] un t i l 07/21/15 16:08:51In order to destroy the active TGT, enter the following command:kdestroy

Page 12


4.4 JOINING THE DOMAINThe next step is to install and configure Samba so that the Session Manager server can be added to theActive Directory domain using Kerberos.1. Install the Samba package

• For Ubuntuapt i n s t a l l −y smbclient

• For CentOS / RHEL 7yum i n s t a l l samba−c l i en t

2. Take a backup of the samba configuration file smb.conf , using the command below:mv / etc /samba/smb. conf / etc /samba/smb. conf . old

3. Create a new /etc/samba/smb.conf file and copy/paste the following lines into it:[ g lobal ]netbios name = osmrealm = TEST .DEMOsecur i ty = ADSencrypt passwords = yespassword server = dc . tes t .demoworkgroup = TESTkerberos method = dedicated keytabdedicated keytab f i l e = / etc / krb5 . keytab(a) Replace the osm netbios name by your netbios name.(b) Replace dc.test .demo by the FQDN of the Domain Controller of your Active Directory domain(c) Replace TEST.DEMO by your Active Direcory domain in upper case characters(d) Replace TEST by your Active Directory Netbios name in upper case characters

4. Join the Session Manager server to the domain using the net ads join command with a domainadministrator user (a user that has rights to add computers and users to the domain) by enteringthe command below:net ads jo in −U administrator@TEST .DEMO

5. Enter the administrator’s password6. Test the configuration using the following command:net ads te s t j o i n

7. After performing that command, the computer is joined to the domain, and the SM server is nowadded as a computer object in Active Directory.

Page 13


NoteIf the user wants to further verify the system is working, use the followingcommand:

net ads infoOutput s imi la r to that shown below should be displayed :

LDAP server : 192.168.0.200LDAP server name: dc . tes t .demoRealm : TEST .DEMOBind Path : dc=TEST , dc=DEMOLDAP port : 389Server time : Mon, 18 May 2015 18:40:22 CESTKDC server : 192.168.0.200Server time of f se t : 455

4.5 ACTIVE DIRECTORY USERS AND COMPUTERSThe Session Manager must be configured in the Domain Controller so that it can be trusted for use withKerberos. On the Domain Controller, open the Active Directory Users and Computers console.1. Locate the osm object2. Right-click on the osm object to display the menu options for that object and select Properties3. In the Properties dialog, click on the Delegation tab.4. In the Delegation dialog, choose Trust this computer for delegation for any service (Kerberosonly).5. Click on Apply and OK.

The Session Manager is now configured in the Active Directory domain.

4.6 CREATE A SERVICE TICKETUp to this point, the system has been configured so that the Session Manager server is able to connectto the Active Directory domain. The next step is to get the Kerberos service keys in a keytab file so thatthe data can be used by the Apache web server on the Session Manager server. Samba is used to set theservice principle(s) for Apache.1. On the session manager server, login to a console as an administrator, in the example we arefollowing this is [email protected] .net ads keytab add HTTP −U administrator@TEST .DEMOAfter entering the command, you should see output similar to that shown below:Processing pr inc ipa l s to add . . .Enter administrator ' s password :

Page 14


Figure 2: osm Computer Object

Page 15


Figure 3: osm Object Menu

Page 16


Figure 4: osm Properties Dialog

Page 17


Figure 5: Delegation tab of the osm Object

Page 18


2. Now check that the /etc/krb5.keytab file contains the HTTP/osm.test.demo principal ticket byusing the kutil command.k t u t i l

3. Enter the path to the keytab file.k t u t i l : rk t / etc / krb5 . keytab

4. Type the command list to show the contents.k t u t i l : l i s ts l o t KVNO Pr inc ipa l

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−1 2 HTTP/osm. tes t .demo@TEST .DEMO2 2 HTTP/osm. tes t .demo@TEST .DEMO3 2 HTTP/osm. tes t .demo@TEST .DEMO4 2 HTTP/osm. tes t .demo@TEST .DEMO5 2 HTTP/osm. tes t .demo@TEST .DEMO6 2 HTTP/osm@TEST .DEMO7 2 HTTP/osm@TEST .DEMO8 2 HTTP/osm@TEST .DEMO9 2 HTTP/osm@TEST .DEMO10 2 HTTP/osm@TEST .DEMOk t u t i l :5. Exit the utility using the exit command.k t u t i l : e x i t

6. Set access permissions for the keytab file.chmod 640 / etc / krb5 . keytab

7. Set file group owner• For Ubuntuchgrp www−data / etc / krb5 . keytab

• For CentOS / RHEL 7chgrp apache / etc / krb5 . keytab

NoteWe want to set the default posix group used by the Apache process as thegroup owner of the keytab file. If for any reason your system overrides thedefault configuration value please refer to Apache Group.

Page 19


4.7 APACHE AND KERBEROSPlease follow the steps below:1. Install the package first

• For Ubuntuapt i n s t a l l −y libapache2−mod−auth−kerb

• For CentOS / RHEL 7yum i n s t a l l mod_auth_kerb

2. Enable the Apache module. The Apache module should be loaded automatically after installing thepackage. If the module does not load, enter the command below:a2enmod auth_kerb

3. Edit the configuration file:• For Ubuntu/ etc / apache2 / conf−enabled / tes t . conf

• For CentOS / RHEL 7/ etc / httpd / conf . d/ tes t . conf

4. and copy the following data into the file:A l i a s " / tes t " " / var /www/ tes t "<Directory " / var /www/ tes t ">AllowOverride NoneDirectory Index index . php

AuthType KerberosAuthName "Kerberos Login "KrbServiceName HTTP/osm. tes t .demoKrbMethodNegotiate OnKrbMethodK5Passwd OnKrbAuthRealms TEST .DEMOKrb5KeyTab / etc / krb5 . keytabrequire va l id−user</Directory >(a) Replace osm.test.demo by the FQDN of the Session Manager in your environment.(b) Replace TEST.DEMO by your Active Direcory domain in upper case characters

5. Create a folder test in the web server rootmkdir −p / var /www/ tes t

Page 20


6. Create a /var/www/test/index.php file and paste the following content in it:<?phpecho "<h2>Kerberos Auth</h2>" ;echo "Auth type : " . $_SERVER [ ' AUTH_TYPE ' ] . "<br / >" ;echo "Remote user : " . $_SERVER [ 'REMOTE_USER ' ] . "<br / >" ;

7. Restart the Apache service• For Ubuntuserv ice apache2 res ta r t

• For CentOS / RHEL 7serv ice httpd res ta r t

4.7.1 VALIDATE THE CONFIGURATIONThe example below must be completed on a Windows workstation running a domain user. Please installFirefox for testing purposes. In this example, we recommend to use Firefox because it is an easierbrowser with which to configure Kerberos. If you want to use another browser, please refer to theinformation provided at: http://sammoffatt.com.au/jauthtools/Kerberos/Browser_Support.

NoteThe Apache configuration presented here is not compatible with InternetExplorer or Google Chrome.

First, configure Firefox to use Kerberos and then verify the configuration using HTTPS.1. Run Firefox2. In the URL field, enter the value about:config .3. In the search field, enter network.nego .4. Change the two values to match the OSM FQDN e.g.

(a) network.negotiate-auth.delegation-uris: Right click and select modify to enter the valueosm.test.demo

(b) network.negotiate-auth.trusted-uris: Right click and select modify to enter the valueosm.test.demo

5. Browse to the URL http://osm.test.demo/test/ . If SSO is working correctly, you will see informationsimilar to the screenshot below:

4.8 KERBEROS AND OVDWe have validated that Kerberos authentication over HTTP is working using a simple PHP example. Thenext step is to configure Kerberos authentication for the OVD Session Manager.

Page 21


Figure 6: about:config

Page 22


Figure 7: Kerberos Authorization

Page 23


1. Duplicate the Apache SSL VirtualHost that already exists for the Session Manager:• For Ubuntucd / etc / apache2 / s i tes−enabledcp default−s s l . conf ovd−session−manager−kerb . conf

• For CentOS / RHEL 7cd / etc / httpd / conf . dcp s s l . conf ovd−session−manager−kerb . conf

2. Edit the ovd−session−manager−kerb.conf file(a) Delete all the lines that appear before and after the VirtualHost section.(b) Change the ServerName setting value to the OSM FQDN ( osm.test.demo in this example)ServerName osm. tes t .demo

Noteif no ServerName setting is defined yet, create a new one at the beginning ofthe VirtualHost definition.

(c) Copy & paste the following block at the end of the VirtualHost definition<Location /ovd>AuthType KerberosAuthName "Kerberos Login "KrbServiceName HTTP/osm. tes t .demoKrbMethodNegotiate OnKrbMethodK5Passwd OnKrbAuthRealms TEST .DEMOKrb5KeyTab / etc / krb5 . keytabRequire va l id−user</ Location >

(d) Replace osm.test.demo by the FQDN of the Session Manager in your environment(e) Replace TEST.DEMO by the Active Directory domain name in upper case characters

3. Edit the default SSL VirtualHost configuration file and change the ServerName setting value tothe IP address of the Session Manager.(a) For Ubuntu, the file is /etc/apache2/sites−enabled/default−ssl.conf(b) For CentOS / RHEL 7, the file is /etc/httpd/conf.d/ssl.confServerName 10.1 .0 .10

Page 24


NoteIf no ServerName setting is defined, add the setting in the SSL Virtual Hostconfiguration file.

4. Reload the Apache configuration• For Ubuntuserv ice apache2 reload

• For CentOS / RHEL 7serv ice httpd res ta r t

5. Go to the OVD Administration Console page: “Users / Authentication Settings” or, for versions earlierthan 2.7, “Configuration / Authentication Settings”(a) Check the RemoteUser authentication checkbox in the(b) For OVD version >= 2.8, set the Use Kerberos login method option to yes(c) For OVD version < 2.8, set the Remove domain if exists option to yes in the RemoteUsersection only if the Active Directory sAMAccountName is being used for the usernames.Otherwise, leave the setting set to no

(d) Click on the Save button at the bottom of the page

Figure 8: Enable AuthMethodThe SM is now configured to authenticate a user with Kerberos. The next step is to configure the OVDclient to validate that the setup is working.

NoteThis configuration for the Session Manager provides both regular and Kerberosauthentication. If you want to disable regular authentication, the easiest wayis to uncheck the Password checkbox in the OVD Administration Console.

Page 25


5 OWA HTML5 CLIENTThe Kerberos Authentication for the HTML5 client will only work if the OWA is installed on the samesystem as the OSM and it is accessed via HTTPS. The OWA must be configured to address the OSM using127.0.0.1 or localhost. If it does not work, please review the steps mentioned in the Session ManagerConfiguration section from the beginning through to the Validate the Configuration section.1. Edit the OWA configuration file /etc/ovd/web−access/config.inc.php

(a) Uncomment the line define('OPTION_FORCE_SSO', true);(b) The SESSIONMANAGER_HOST setting must be set to localhost if it was defined with an IPor FQDN(c) Save and exit.

2. Start Firefox and enter the URL https://osm.test.demo/ovd/ . You will see a screen similar to theone below if Kerberos is working properly.

Figure 9: Login screen

NoteFirefox must be configured to use Kerberos. To configure Firefox, follow thesteps detailed in the Validate the Configuration section.

If the login panel does not show the user login name, check the firewall settings and re-check the stepsagain for Kerberos Authentication in section Session Manager Configuration.Clicking on Connect will start the OVD session without the requirement to enter any further credentials.

Page 26


6 ENTERPRISE DESKTOP CLIENTThis section applies to the Enterprise Desktop Client (EDC) running on a Windows workstation.

6.1 WORKSTATION CONFIGURATIONThe user workstation (Windows) must be configured to allow SSO authentication into OVD. For this, alocal or domain admin access to the workstation is required. Please note that domain GPO (Group Policy)may be used to automate the changes below in an enterprise environment.

6.1.1 ALLOWTGTSESSIONKEYThere is a key called AllowTgtSessionkey in the Windows registry that controls whether a client applica-tion is allowed to decrypt the session key of a Kerberos Ticket Granting Ticket (TGT). This capability mustbe enabled.1. Login as an admin user on the user workstation2. Run the registry editor: regedit.exe3. Create a registry entry as follows for Windows Vista, 7, 8 or 10.

• Create a DWORD entry with the name AllowTgtSessionKey and value 1 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Figure 10: Registry AllowTgtSessionKey

Page 27


6.1.2 ENABLE DESDepending on your version of Windows, further settings may need to be applied as described in theMicrosoft information page at https://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspxThese settings apply to Windows 7, Windows 8 and Windows 10.1. Open an admin session on the workstation2. Run gpedit.msc from a command prompt3. NavigateLocal Computer Po l i cyComputer ConfigurationWindows Set t ingsSecur i ty Set t ingsLocal Po l i c i e sSecur i ty Options

4. Open the Network Security: Configure encryption types allowed for Kerberos setting andenable the following options:5. Reboot the workstation

6.2 EDCStart the EDC and check Use Local credentials as shown in the figure below:

NoteClicking on Start should start the session without the need to enter any furthercredentials.

Page 28

https://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx


Figure 11: Network Security options

Page 29


Figure 12: Inuvika OVD Enterprise Desktop Client7 TROUBLESHOOTING7.1 VALIDATE TEST CASEIf the test from section Validate the Configuration does not work, check the items below first:1. The server time on all servers is correctly synchronized and operational2. Browser is set-up correctly3. No firewall issues on the OSM node4. Check that the auth_kerb module is enabled in Apache and ensure that the module is presentand loaded.

If the test still does not work, the Apache Logs and web-browser developer tools console can providefurther information. A tool such as wireshark can be used to monitor the HTTP data stream (HTTPinstead of HTTPS +wireshark).Enable the debug mode on the SM side by performing the following for the OVD session:

• Set-up the domain integration to Microsoft and internal session method• Enable RemoteUser authentication as described in the Kerberos and OVD section.• Enable debug mode the the OSM and Apache logs• Enable the SSO option in the OWA by editing the OWA config file at /etc/ovd/web_access/config.inc.php• Use HTTPS (it should not be HTTP)

7.2 DNS ISSUESIf the result from net ads join test failed as described in section Joining the Domain is as follows:

Page 30


No DNS domain configured for osm. Unable to perform DNS Update .DNS update fa i l ed !Then the possible reasons are

• Invalid system hostname• Invalid system network name in /etc/hosts• Invalid system network name in the smb.conf configuration for the netbios name

To resolve this issue, configure the system hostname and system network name for the Session Managercorrectly and then remove the workstation from Active Directory and re-register it again.

7.3 CLOCK SKEWIf there is an issue in authenticating OVD with Kerberos, turn on the Apache error logs and check thereports for a Clock skew too great error:[ error ] [ c l i en t 192.168.0.65] krb5_get_init_creds_password ( ) f a i l ed : Clock \skew too greatThis error indicates that the time on the Session Manager is not synchronized with the time on the ActiveDirectory Domain Controller. Run the ntpdate command to fix the issue and check for the possiblereasons why the ntp service is not synchronizing it.

7.4 OWA HTML5If the HTML5 client is not working, open the developer tools console in Firefox and enterovd.settings.http_provider and ensure it returns direct. Otherwise the about:config settingswere not saved. Please refer to the screenshot below:

7.5 EDC• Check your local credentials using the klist command and ensure that there is anHTTP/osm.test.demo ticket.

7.6 STATIC IP ADDRESS CONFIGURATIONGenerally, the DNS information is stored in the /etc/resolv.conf file. Sometimes, when you modify thefile to have a specific DNS server IP address, it may not be persistent because of the system configurationand the modification may change when the system is rebooted or the network service is restarted.On Ubuntu and RHEL/CentOS systems, the DNS configuration can also be defined in the global networkconfiguration. In turn, this will overwrite the DNS modification made in /etc/resolv.conf . For thesereasons, it is recommended to modify the DNS information directly in the global network configurationfile.

Page 31


Figure 13: Developer tools console calling ovd.settings.http_provider

• For Ubuntu : Edit the /etc/network/interfaces to adddns−nameservers 192.168.0.200dns−search tes t .demo

• For CentOS / RHEL 7 : Edit the file /etc/sysconfig/network−scripts/ifcfg−eth0 to addDNS1=192.168.0.200SEARCH=tes t .demo

7.7 APACHE GROUPThe system default group used by Apache is :

• For Ubuntu: www-data• For CentOS / RHEL 7: apache

If for some reason the system overrides the system default value or if you want to check it, the followingcommand line will give you the group name used by apache on your system:• For Ubuntuegrep −w −−color=auto '^Group ' −R / etc / apache2 /egrep −w −−color=auto 'APACHE_RUN_GROUP' / etc / apache2 / envvars

• For CentOS / RHEL 7grep −E '^Group ' / etc / httpd / conf / httpd . conf

Page 32

Documents

INUVIKA TECHNICAL GUIDE - Inuvika Documentation › active_directory_sso... · apt install−y ntp service ntp stop ... kdc_timesync =1 ccache_type =4 forwardable = true proxiable