Copyright ©
Mindbreeze GmbH, A-4020 Linz, 2024.
All rights reserved. All hardware and software names are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes or other protected rights. The dissemination, publication or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
This document describes how to configure Kerberos authentication in Mindbreeze InSpire.
Kerberos authentication can be used in the following scenarios:
The following requirements need to be fulfilled:
PLEASE NOTE: The PTR record is required.
The SPN, also called the service principal name, must match the FQDN of the host name of your appliance created in the preceding point. The syntax for this command on your Windows domain controller server is:
setspn -a HTTP/YOURAPPLIANCE.mydomain.com DOMAIN\serviceuser
Example: setspn -a HTTP/example.academy.fabasoft.com academy\Administrator
The service user does not have to be an administrator. He or she just needs full read access to the LDAP directory in order to carry out group resolution and authentication.
If a login prompt is displayed on your PC after you have completed this setup and your registered domain user is not automatically used, you have to enable Kerberos ticketing in the GPOs of your domain controller server. In this process, it is important to be sure to add the address of your Mindbreeze appliance to the trusted sites.
For Kerberos-based authentication with active directory, you must create a user in the active directory who has the correct permissions for the data source (see documentation for the respective connector).
For Kerberos-based authentication with active directory, you must create a service user in the active directory − for example, mindbreeze.service. Please make sure that the following requirements are met:
setspn –s HTTP/<fully qualified host name for Mindbreeze InSpire> <domain>\<mindbreeze.service>
Example:
setspn –s HTTP/search.companyname.com companyname\mindbreeze.service
The Fully Qualified Domain Name (FQDN) must be defined in a DNS A record. Otherwise, if it is a DNS C-NAME, a Service Principal Name (SPN) will be required in addition for the A-Record host.
You can find the Kerberos configuration in the Management Center under “Setup” “Kerberos“.
You need to create a Kerberos configuration if it does not already exist.
To do this, you have the following options:
If you would like to use the option for automatic determination of the configuration, click "Detect Config", which uses the DNS settings of the operating system to determine the "REALM", "Domain Controller KDC" and "DNS Domain".
Requirements for the automatic determination of the configuration:
For manual configuration, the following settings need to be made:
“REALM“ | Realm of the domain, usually the domain in uppercase |
“Domain Controller/KDC“ | Domain controller or Kerberos server to be used. |
“DNS Domain“ | DNS domain name |
Then click "Save Config" to save the Kerberos configuration.
Various verification steps are performed during saving. If errors occur, the properties involved will be marked in red and the system outputs the corresponding error messages. Correct the entered values or make sure that the relevant infrastructure is running correctly and is accessible. Then click "Save Config" again.
If everything is saved correctly, two new sections will appear below:
After the Kerberos configuration has been successfully saved, expand the "Generate ‘Connector’ Keytab" section. Now specify the login data for the user with whom the connector is going to work. In the "Service User" property, specify the full user name and enter the corresponding password in the "Password" property.
Then click on "Generate Keytab".
Various verification steps are performed during the generation. If errors occur, the properties involved will be marked in red and the system outputs the corresponding error messages. Correct the entered values or make sure that the relevant infrastructure is running correctly and is accessible. Then click "Generate Keytab" again.
If the data is correct, a new section "’Connector’ Keytab" appears below:
The entries in the keytab are displayed in a table. To download the keytab file, click "Download Keytab File". Make a note of the "Principal" name (user name) as this name will be required later.
Then switch to the "Configuration" section in the Management Center and select the "Authentication" tab. Select the downloaded keytab file and click "Upload".
After successfully uploading, the keytab file appears in the Available Keytabs list.
Then, in the "Setup Kerberos Authentication" section, select the desired keytab file for the connector, and enter the principal name that you previously noted.
Then save the configuration and restart.
After the Kerberos configuration has been saved successfully, expand the "Generate ‘Search Client’ Keytab" section. Under “Client hostname”, enter the hostname that you want to use for the client service. Now enter the login data for the service user. In the "Service User" property, specify the full user name and enter the corresponding password in the "Password" property.
Then click "Generate Keytab".
During the generation, various verification steps are executed. If errors occur, the respective properties are colored red and the system outputs relevant error messages. Correct the entered values or make sure that the relevant infrastructure is running correctly and is accessible. Then click "Generate Keytab" again.
If the data is correct, a new section “’Search Client’ Keytab” appears below:
The entries in the keytab are displayed in a table. To download the keytab file, click "Download Keytab File". Note the "Principal" name (beginning with "HTTP/"), which is required later.
Then change to the "Configuration" section in the Management Center and select the "Authentication" tab. Select the downloaded keytab file and click "Upload".
After successfully uploading, the keytab file appears in the Available Keytabs list.
Then, in the "Kerberos Authentication" section, select the desired keytab file for the client service and enter the principal name that you previously noted.
Then save the configuration and restart.
If you are working with a Windows domain controller and users with special characters (e.g. umlauts) in their user name cannot log in, then you can set the following option:
Activate the "Advanced Setting" in the Client Service and set the following value for the option "Embedded Java VM Args (-Xmx..)": -Dsun.security.krb5.msinterop.kstring=true
After restarting the client service, these users will be able to log in.