Help Center/ OneAccess/ Best Practices/ Authentication Provider Integration/ Standard Protocol Authentication Providers/ Kerberos Authentication/ Configuring a Kerberos Authentication Provider
Updated on 2024-12-30 GMT+08:00
View PDF
Share

Configuring a Kerberos Authentication Provider

Kerberos is a computer-network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. For details, visit https://web.mit.edu/kerberos.

Active Directory (AD) is a database that stores network objects, allowing administrators and users to search for required information.

Service Principal Name (SPN) is a unique identifier of a service instance.

It associates a service instance with a service account during Kerberos authentication. SPNs must be registered for the server under a built-in computer account or user account. For built-in accounts, SPNs are automatically registered. To run services using a domain account, manually register an SPN for the account.

OneAccess allows you to configure the Kerberos protocol as the authentication provider. You can use the Kerberos protocol to log in to each application system, providing simpler and more convenient login modes and better user experience for enterprise users.

This section describes how to configure a Kerberos authentication provider.

Setting Up an AD Server

Windows Server 2012 R2 is used as an example to describe how to set up a domain server. For details, see Setting Up an AD Server.

Creating an AD User

Create an AD user in the established AD domain.

  1. Go to the AD management center.
  2. Right-click the target domain, choose New > User, enter the user information, and click OK.

    To prevent login exceptions, configure the user with unlimited password validity.

    Check whether AES 256-bit encryption is enabled for each AD user who requires password-free login. The procedure is as follows:

    On the AD server, right-click the user to open the property dialog box. Find the account properties and ensure that This account supports Kerberos AES 256-bit encryption is selected.

Configuring the AD Server

  1. Generate an SPN in the AD server.

    In the DOS window of the AD server, run the "setspn -A HTTP/{Tenant domain name} {AD username}" command, for example, setspn -A HTTP/xxxxxx.huaweioneaccess.com Appointer.

  2. Generate a keytab file in the AD server.

    In the DOS window of the AD server, run the "ktpass /out {Keytab file path} /mapuser {AD username} /princ HTTPS/{Tenant domain name}@{AD domain name} /pass {AD user password} /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1" command, for example, ktpass /out c:\Appointer.keytab /mapuser Appointer /princ HTTPS/xxxxxx.huaweioneaccess.com@ONEACCESS.COM /pass {AD user password} /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1.

  3. Configure an appointment in the AD server.

    1. Select the user created in Creating an AD User, right-click Properties, and configure an appointment.

Configuring the Client Browser

  • Internet Explorer

    Open Internet Explorer, choose Tools > Internet options > Security > Local intranet > Sites > Advanced, and add the website https://{Tenant domain name}.

  • Google Chrome

    Google Chrome shares the configurations of Internet Explorer. After configuring Internet Explorer, directly use Google Chrome without additional configurations.

  • Mozilla Firefox
    1. Open the Firefox browser, enter about:config in the address box, and click Accept the Risk and Continue.

    2. Enter network.negotiate-auth-trusted-uris and set the value to https://{Tenant domain name}.

Adding a Kerberos Authentication Provider

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Authentication > Authentication Providers, and click Kerberos. On the Kerberos Authentication Providers page, click Add Authentication Provider in the upper right and set the parameters.

    Figure 1 Adding an authentication provider
    Table 1 Configuration parameters

    Parameter

    Description

    * Display Name

    Custom display name of the authentication provider, for example, Kerberos.

    * AD Domain

    AD domain name in upper case, for example, ONEACCESS.COM.

    * Keytab File

    Select the file generated in 2.

    * Related User Attribute

    Unique attribute, for example, user ID, to associate with a system user.

    No User Associated

    Indicates that the login fails if no user is associated during authentication.

  3. On the top navigation bar, choose Users > Organizations and Users. Select the target organization, click Create User, and enter the user information. Ensure that the username is the same as that of the AD domain account.

Parent topic: Kerberos Authentication