Summary of the steps that needs to be accomplished
All the following steps needs to be performed having a remote session on Foglight (Foglight the Management Server):
1). Identify the Active Directory "Service Account" to use and add in it's attributes in Active Directory under "servicePrincipalName" the URL of the Foglight Management Server.
Note: the following is one example: HTTP/fmshost.example.com. It should be changed for the actual URL of your Foglight with the Fully Qualified domain name.
After you checked above configuration, please generate the Keytab file.
2). Under FMS_HOME\config\krb5-auth check the following configuration:
Krb5ConfigFilePath = "./config/krb5.config";
Principal = "HTTP/fmshost.example.com";
QualifyUserPrincipal = true;
QualifyGroupName = true;
Keytab = "./config/krb5.keytab";
UserQueryFilter =(&(objectClass=user) (sAMAccountName={0}))";
GroupQueryFilter = "(&(objectclass=group) (member={0}))";
3).Configure Kerberos (FMS_HOME\config\krb5.config) properly according to our guidelines.
Please check below information on how to complete the configuration.
These are detail steps on how to accomplish the configuration
Step 1: Configure Active Directory to support Windows Single Sign-on
Microsoft Active Directory provides a directory service supporting the Lightweight Directory Access Protocol (LDAP), and a Kerberos KDC (key distribution center) to authenticate users. It allows organizations to share and manage information about users and network resources. When properly configured, Active Directory provides an SSO environment that can be integrated with the standard Windows OS desktop login.
TIP: When setting up the Kerberos Service Principal Name (SPN), use the following instructions to create mappings between the user account and SPNs, and to create a keytab file to configure in krb5‑auth.config. For example:
ktpass -princ HTTP/fmshost.example.com@REALM -mapuser "\" -pass -out
And:
Use setspn to set up the mapping for just the host name. For example:
setspn -A HTTP/fmshost.example.com
NOTES:
- Duplicate SPNs cause Kerberos authentication to return an NTLM token and fallback to Form authentication. To search for duplicate SPNs:
setspn -X -F
- If you locate duplicate SPNs for “HTTP/”, you can remove them with the following command:
setspn -d HTTP/fmshost.example.com
- If the account password changes the keytab file will need to be recreated.
Step 2: Configure Foglight to support Windows Single Sign-on
Foglight provides SSO for the Management Server using Active Directory as its identity store. It includes an enterprise-wide method of identification and authorization that can be administered in a consistent and transparent manner. This method allows users to access only those Management Server components for which they are authorized.
Enabling the Windows SSO feature in Foglight requires the configuration of the following files under $FGLHOME/config directory:
Update these two property vaule from step 1
The krb5.config file contains standard Kerberos configuration information. See the following URL for detailed information about the settings:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
Here are a simple krb5.config ( WIndows domain is FVE.SUPPORT and domain controller is tordcw01.fve.support)
[libdefaults]
default_realm = FVE.SUPPORT
# The Management Server will use the first kdc in the realm as an LDAP server
# to retrieve user group information. Use the "LDAPURLOverrides" element in
# krb5-auth.config to override this behaviour.
[realms]
FVE.SUPPORT = {
kdc = tordcw01.fve.support
}
[domain_realm]
.fve.support = FVE.SUPPORT
Step 3: Configure your web browser to support Windows Single Sign-on
Most web browsers include extensions that allow Foglight users to participate in a Kerberos-based single sign-on (SSO) environment. This environment relies on the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) authentication mechanism. To enable this feature, configure your web browser to support SPNEGO authentication.
Only Microsoft Internet Explorer, Google Chrome™, and Mozilla Firefox browsers can be configured to support SPNEGO authentication currently.
To configure Internet Explorer to enable SPNEGO authentication:
- Log in to your Windows Active Directory domain.
- Start Internet Explorer.
- From the Tools menu, navigate to Internet Options > Advanced > Security.
- Scroll down to the Security section. Select the option: Enable Integrated Windows Authentication (requires restart).
- From the Tools menu, select Internet Options > Security > Local Intranet > Sites > Advanced.
- Add one of the following:
• An entry for the application server.
• A list entry that globally includes the domain of the application server. For example: http://*.example.com - Select Local Intranet > Custom Level.
- Select the Security Settings > User Authentication option for Automatic logon only in Internet Zone option.
- Restart Internet Explorer.
To configure Chrome to enable SPNEGO authentication on a machine running a Windows OS:
For complete details, see the Chrome documentation at: http://www.chromium.org/developers/design-documents/http-authentication.
- From the Start menu, open the Control Panel.
- Select Internet Options.
- Select the Security tab.
- Click Local Intranet > Sites > Advanced.
- Type the domain of the application server in the box (for example: “*.example.com”), and click Add.
- Click OK to close all the dialog boxes.
To configure Chrome to enable SPNEGO authentication on a machine running Linux or Chromium:
For complete details, see the Chrome documentation at: http://www.chromium.org/developers/design-documents/http-authentication.
Customize the launcher for your desktop.
Add the following parameter to the command-line:
--auth-server-whitelist=“.example.com”
where “.example.com” is the domain of the application server.
To configure Firefox to enable SPNEGO authentication:
For complete details, see the Firefox documentation at https://developer.mozilla.org/en-US/docs/Integrated_Authentication.
- Log in to your Windows Active Directory domain.
- Start Firefox.
- In the address bar of a blank tab, type about:config.
- If prompted, click “I’ll be careful, I promise!”.
A list of entries appears in the Firefox window. - In the Filter field, type: negotiate. Locate the entry network.negotiate‑auth.trusted‑uris. This entry is used to configure the sites that are permitted to engage in SPNEGO authentication with Firefox.
- Double click network.negotiate‑auth.trusted‑uris.
- In the dialog box that opens, type the URL that you use to access the Foglight browser interface.
- Click OK to close the dialog box, and restart Firefox to enable the new configuration.
Step 4: Connect to Foglight
Once everything is configured, connect with one user to Foglight. The user will be imported from the AD, but the connection will be rejected. Connect to Foglight with an administration user and open the "User Management" dashboard. On the "Groups" make sure the AD groups are imported with the distinguish name (group@domain). Assign the group to the first user and let the user connect to the Foglight now.
After the first authentication via AD has been done the AD groups are fully initialized and further users will be able to connect using SSO