Table of Contents
Advertisement
Prerequisites For Single Sign-On Or Smart Card Login
The pre-requisites to configure SSO or Smart Card logins are:
•
Set up the kerberos realm and Key Distribution Center (KDC) for Active Directory (ksetup).
•
A robust NTP and DNS infrastructure to avoid issues with clock drift and reverse lookup.
•
Configure CMC with Active Directory standard schema role group with authorized members.
•
For smart card, create Active Directory users for each CMC, configured to use Kerberos DES encryption but not pre-
authentication.
•
Configure the browser for SSO or smart card login.
•
Register the CMC users to the Key Distribution Center with Ktpass (this also outputs a key to upload to CMC).
Generating Kerberos Keytab File
To support the SSO and smart card login authentication, CMC supports Windows Kerberos network. The ktpass tool (available from
Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN) bindings to a user account
and export the trust information into a MIT-style Kerberos keytab file. For more information about the ktpass utility, see the
Microsoft Website.
Before generating a keytab file, you must create an Active Directory user account for use with the -mapuser option of the ktpass
command. You must use the same name as the CMC DNS name to which you upload the generated keytab file.
To generate a keytab file using the ktpass tool:
1.
Run the ktpass utility on the domain controller (Active Directory server), where you want to map CMC to a user account in
Active Directory.
2.
Use the following ktpass command to create the Kerberos keytab file:
ktpass -princ HTTP/cmcname.domainname.com@DOMAINNAME.COM -mapuser keytabuser -crypto
DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab
NOTE: The cmcname.domainname.com must be in lower case as required by RFC and the @REALM_NAME must be
in uppercase. In addition, CMC supports the DES-CBC-MD5 and AES256–SHA1 types of cryptography for Kerberos
authentication.
A keytab file is generated that must be uploaded to CMC.
NOTE: The keytab contains an encryption key and must be kept secure. For more information about the
utility, see the Microsoft Website.
Configuring CMC For Active Directory Schema
For information about configuring CMC for Active Directory standard schema, see
For information about configuring CMC for Extended Schema Active Directory, see
Configuring Browser For SSO Login
Single Sign-On (SSO) is supported on Internet Explorer versions 6.0 and later, and Firefox versions 3.0 and later.
NOTE: The following instructions are applicable only if CMC uses Single Sign-On with Kerberos authentication.
Internet Explorer
To configure Internet Explorer for Single Sign-On:
1.
In the Internet Explorer, select Tools → Internet Options.
2.
On the Security tab, under Select a zone to view or change security settings, select Local Intranet.
Configuring Standard Schema Active
Extended Schema Active Directory
ktpass
Directory.
Overview.
131
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
