[Ent] AD + Kerberos Support
In this tutorial we will show you how to configure the servers to active Kerbers SSO in pydio Cells. We will work on three servers/machines.
- Windows Server - Domain Controller
- Cells Server: a linux server running cells - web service server
- Workstation + Web browser (Firefox, Chrome, Edge)
Windows Server
Create a service account
Create a new user “cellssrv” in Users organizational unit.
Make sure that this user can’t change the password as well as the password never expires.
Two other option are required to be checked is - Kerberos AES 235 bits - Do not require Kerberos preauthentication
Generate the keytab
Open PowerShell and execute following command to convert the “cellssrv” to service account
The command should be written in one line.
PS C:\Users\Administrator> ktpass /princ HTTP/cellssrv.lab.py@LAB.PY /pass "Passw0rd" /mapuser cellssrv /out cellssrv.keytab
/ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /mapop set
Attention: lab.py is the domain name and it should be in lowercase @LAB.PY is the domain name and it should be in uppercase you should replace by your domain name
After the command, you can see the user logon is changed to “HTTP/cellssrv.lab.py”
Then copy the "cellssrv.keytab" to Cells’ server e.g: /var/cells/cellssrv.keytab
DNS record
Make sure that your dns server has a A record for cellssrv machine. Otherwise, crease a new Host record.
Attention: Your server cells is running at https://cellssrv.lab.py. If it’s running at https://other-name.lab.py, please create an “other-name” account service.
Cells Server
Key tab
Copy the generated keytab (cellssrv.keytab) to Cells server. Change the permission so that “pydio” user can read. For example “/var/cells/cellssrv.keytab”
Env variables
Add following lines to systemd file config (/etc/systemd/system/cells.service)
…
[Service]
WorkingDirectory=/home/pydio
PermissionsStartOnly=true
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/home/pydio/cells-enterprise start
Restart=on-failure
StandardOutput=journal
StandardError=inherit
LimitNOFILE=65000
TimeoutStopSec=5
KillSignal=INT
SendSIGKILL=yes
SuccessExitStatus=0
# Add environment variables
Environment=CELLS_ENABLE_METRICS=false
Environment=CELLS_WORKING_DIR=/var/cells
Environment=CELLS_SPNEGO_LABEL="Kerberos SSO"
Environment=CELLS_SPNEGO_KEYTAB="/var/cells/cellssrv.keytab"
….
CELLS_SPNEGO_LABEL: is the label of the button on the login screen on which user will login with SSO Kerberos when they click CELLS_SPNEGO_KEYTAB: the absolute path of keytab
Attention: Don’t forget to systemctl daemon-reload then systemctl restart cells
User can authorize by clicking on a new button in login page
Users' PC & Web browser
At this step, you can see the “Kerberos SSO” button on the login page of Cells. But it does not work because the authentication negotiation has not been activated.
Enable spnego
In a joined-domain PC, open Internet Options then add “https://cellssrv.lab.py” to the local internet zone
After adding this option, you are able to authenticate with “Kerberos SSO”. When you click on this button, you are logged in with the current window user.
The configuration in “Internet Option” works with Chrome, Edge
If you are using Firefox, please visit this link to enable spnego: https://www.ibm.com/docs/en/was/9.0.5?topic=authentication-configuring-c...
GroupPolicy
You are also able to enable authentication negotiation (spnego) for web browsers via Domain Controller Group Policy
Google Chrome:
Document: https://docs.keeper.io/enterprise-guide/deploying-keeper-to-end-users/ke....
Chrome gpo template: https://chromeenterprise.google/browser/download/#manage-policies-tab
Firefox
Document: https://specopssoft.com/blog/using-firefox-enterprise-gpos-enable-window...
Firefox gpo template: https://github.com/mozilla/policy-templates/releases
Back to top