Setting up SSO Kerberos

This article describes how to enable BlueMind to recognize Kerberos authentication in a Windows infrastructure.

info

In the rest of this document, we'll consider BlueMind's external url, accessible by users bluemind.domain.tld, and the ActiveDirectory server ad.domain.tld.

The domain in which these machines are located is DOMAIN.TLD.

Preparing login information

1. Create a service user for Kerberos authentication in the Active Directory, e.g. For example bmkrb with password krbpwd.

2. Open a cmd.exe console and run the following command:

   setspn -A HTTP/bluemind.domain.tld bmkrb

3. The command should return a result equivalent to the following rows:

   Registering ServicePrincipalNames for CN=bmkrb,CN=Users,DC=domain,DC=tld
   	    HTTP/bluemind.domain.tld
   Updated object

4. Then run the following command:

   Windows 2012R2

   ktpass /out C:luemind.keytab  /mapuser bmkrb@DOMAIN.TLD  /princ HTTP/bluemind.domain.tld@DOMAIN.TLD  /pass krbpwd /kvno 0 /ptype KRB5_NT_PRINCIPAL

   Windows 2016 & +

   ktpass /out C:luemind.keytab /crypto AES256-SHA1 /mapuser bmkrb@DOMAIN.TLD  /princ HTTP/bluemind.domain.tld@DOMAIN.TLD  /pass krbpwd /kvno 0 /ptype KRB5_NT_PRINCIPAL

5. The result should look like the following rows:

   Targeting domain controller: AD.domain.tld
   Using legacy password setting method
   Successfully mapped HTTP/bluemind.domain.tld to bmkrb.
   Output keytab to C:\hps.keytab

Setting up Kerberos in the admin console

1. In the administration console, go to System management > Supervised domains > choose domain > Security tab.
2. Select the Kerberos authentication mode and fill in the associated form:
   
   • Active Directory domain
   • Active Directory server
   • Active Directory keytab file: check the box and choose the file previously created
3. Click on "Save" to save your changes.

Once Kerberos authentication is enabled, you will be automatically authenticated if your browser is configured correctly.

Client configuration

When the AD domain is different from the BlueMind domain, the client web browser may not trust the BlueMind domain. The BlueMind url access must therefore be added as a trusted site in the web browser.

Firefox

To add a trusted site, you need to access the browser settings :

• in the web browser address bar, type:

  about:config

• Validate the warning by clicking on "Accept the risk and continue".

• In the search box, type:

  trusted

• Double-click on the network.negotiate-auth.trusted-uris parameter or click on the pencil at the end of the line to edit it.

• Enter the BlueMind domain address (here bluemind.domain.tld) and confirm.

  💡 The parameter appears in bold: this means that it has been modified, and no longer has its default value.

• Relaunch Firefox for the change to take effect.

Microsoft Edge

Microsoft Edge is configured using the following command in a cmd.exe prompt:

msedge.exe --auth-server-whitelid="bluemind.domain.tld" --auth-negotiate-delefatewhitelist="bluemind.domain.tld"

For configuration propagation by GPO, see the following pages of the Microsoft documentation :

• https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AuthServerAllowlist&Language=fr-fr
• https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AuthNegotiateDelegateAllowlist&Language=fr-fr

Chrome

Google Chrome can be configured with the following command:

google-chrome --auth-server-whitelist="\bluemind.domain.tld"

For configuration propagation by GPO, see the following page of the Microsoft documentation:

• https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::AuthServerWhitelist&Language=fr-fr

Find out more

For further information, please consult the following pages:

• http://sammoffatt.com.au/jauthtools/Kerberos/Browser_Support
• https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/intranet-site-identified-as-an-internet-site