All the following steps needs to be performed having a remote session on Foglight (Foglight the Management Server):
Note: the following is one example: HTTP/fmshost.example.com. It should be changed for the actual URL of your Foglight with the Fully Qualified domain name.
After you checked above configuration, please generate the keytab file.
Krb5ConfigFilePath = "./config/krb5.config"; Principal = "HTTP/fmshost.example.com"; Keytab = "./config/krb5.keytab";
Please check below information on how to complete the configuration.
Microsoft Active Directory provides a directory service supporting the Lightweight Directory Access Protocol (LDAP), and a Kerberos KDC (key distribution center) to authenticate users. It allows organizations to share and manage information about users and network resources. When properly configured, Active Directory provides an SSO environment that can be integrated with the standard Windows OS desktop login.
When setting up the Kerberos Service Principal Name (SPN), use the following instructions to create mappings between the user account and SPNs, and to create a keytab file to configure in krb5‑auth.config. For example:
ktpass -princ HTTP/fmshost.example.com@REALM -mapuser "[domain]\[user]" -pass [password] -out [keytabFilePath]
And use setspn
to set up the mapping for just the host name. For example:
setspn -A HTTP/fmshost [user]
NOTES:
setspn -X -F
setspn -d HTTP/fmshost.example.com [user]
setspn -l [user]
setspn -Q HTTP/fmshost*
Foglight provides SSO for the Management Server using Active Directory as its identity store. It includes an enterprise-wide method of identification and authorization that can be administered in a consistent and transparent manner. This method allows users to access only those Management Server components for which they are authorized.
Enabling the Windows SSO feature in Foglight requires the configuration of the following files under [FMS_HOME]/config
directory:
The krb5.config file contains standard Kerberos configuration information. See the following URL for detailed information about the settings:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
Here are a simple krb5.config ( WIndows domain is FVE.SUPPORT and domain controller is tordcw01.fve.support)
[libdefaults] default_realm = EXAMPLE.COM # The Management Server will use the first kdc in the realm as an LDAP server # to retrieve user group information. Use the "LDAPURLOverrides" element in # krb5-auth.config to override this behaviour. [realms] EXAMPLE.COM = { kdc = host1.example.com } [domain_realm] .example.com = EXAMPLE.COM
Most web browsers include extensions that allow Foglight users to participate in a Kerberos-based single sign-on (SSO) environment. This environment relies on the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) authentication mechanism. To enable this feature, configure your web browser to support SPNEGO authentication.
Only Microsoft Internet Explorer, Google Chrome™, and Mozilla Firefox browsers can be configured to support SPNEGO authentication currently.
To configure Internet Explorer to enable SPNEGO authentication:
To configure Chrome to enable SPNEGO authentication on a machine running a Windows OS:
For complete details, see the Chrome documentation at: http://www.chromium.org/developers/design-documents/http-authentication.
To configure Chrome to enable SPNEGO authentication on a machine running Linux or Chromium:
For complete details, see the Chrome documentation at: http://www.chromium.org/developers/design-documents/http-authentication.
Customize the launcher for your desktop.
Add the following parameter to the command-line:
--auth-server-whitelist=".example.com"
Where .example.com
is the domain of the application server.
To configure Firefox to enable SPNEGO authentication:
For complete details, see the Firefox documentation at https://developer.mozilla.org/en-US/docs/Integrated_Authentication.
A list of entries appears in the Firefox window.
Once everything is configured, connect with one user to Foglight. The user will be imported from the AD, but the connection will be rejected. Connect to Foglight with an administration user and open the "User Management" dashboard. On the "Groups" make sure the AD groups are imported with the distinguish name (group@domain). Assign the group to the first user and let the user connect to the Foglight now.
After the first authentication via AD has been done the AD groups are fully initialized and further users will be able to connect using SSO.
If you do not have access to Active Directory, you can check the "Service Account" settings using Microsoft third party tool "AD Explorer":
Note: "username" is the service account username you are using for this configuration within Foglight.
Download AD Explorer
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center