Setting up SSO Kerberos

This article describes how to enable BlueMind to recognize Kerberos authentication in a Windows infrastructure.

info

In the rest of this document, we'll consider BlueMind's external url, accessible by users bluemind.domain.tld, and the ActiveDirectory server ad.domain.tld.

The domain in which these machines are located is DOMAIN.TLD.

Preparing login information

1. Create a service user for Kerberos authentication in the Active Directory, e.g. For example bmkrb with password krbpwd.

2. Open a cmd.exe console and run the following command:

   setspn -A HTTP/bluemind.domain.tld bmkrb

3. The command should return a result equivalent to the following rows:

   Registering ServicePrincipalNames for CN=bmkrb,CN=Users,DC=domain,DC=tld
   	    HTTP/bluemind.domain.tld
   Updated object

4. Then run the following command:

   Windows 2012R2

   ktpass /out C:\bluemind.keytab  /mapuser bmkrb@DOMAIN.TLD  /princ HTTP/bluemind.domain.tld@DOMAIN.TLD  /pass krbpwd /kvno 0 /ptype KRB5_NT_PRINCIPAL

   Windows 2016 & +

   ktpass /out C:\bluemind.keytab /crypto AES256-SHA1 /mapuser bmkrb@DOMAIN.TLD  /princ HTTP/bluemind.domain.tld@DOMAIN.TLD  /pass krbpwd /kvno 0 /ptype KRB5_NT_PRINCIPAL

5. The result should look like the following rows:

   Targeting domain controller: AD.domain.tld
   Using legacy password setting method
   Successfully mapped HTTP/bluemind.domain.tld to bmkrb.
   Output keytab to C:\bluemind.keytab

Activation via the administration interface

1. In the administration console, go to System management > Supervised domains > choose domain > Security tab.
2. Select the Kerberos authentication mode and fill in the associated form:
   
   • Active Directory domain
   • Active Directory server
   • Active Directory keytab file: check the box and choose the file previously created
3. Click on "Save" to save your changes.

Once Kerberos authentication is enabled, you will be automatically authenticated if your browser is configured correctly.

Customer configuration

When the AD domain is different from the BlueMind domain, the client web browser may not trust the BlueMind domain. The BlueMind url access must therefore be added as a trusted site in the web browser.

Firefox

To add a trusted site, you need to access the browser settings :

• in the web browser address bar, type:

  about:config

• Validate the warning by clicking on "Accept the risk and continue".

• In the search box, type:

  trusted

• Double-click on the network.negotiate-auth.trusted-uris parameter or click on the pencil at the end of the line to edit it.

• Enter the BlueMind domain address (here bluemind.domain.tld) and confirm.

  💡 The parameter appears in bold: this means that it has been modified, and no longer has its default value.

• Restart Firefox for the change to take effect.

Microsoft Edge

Microsoft Edge is configured manually on the workstation:

• Run Regedit as administrator
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge and create the missing registry keys if necessary.
• Create a value of type "String value (REG_SZ)", with name AuthServerAllowlist and value bluemind.domain.tld.
• Restart Edge for the change to take effect.

In the event of a malfunction, ensure that the policy is taken into account:

• Start Edge
• Enter edge://policy in the URL field
• Check that the AuthServerAllowlist policy appears in the "Microsoft Edge Policies" section, with the value entered above. If not, click on Reload strategies. If it still doesn't appear, check that you have modified the register as described above.

For more information on Edge strategies, see the Microsoft documentation :

• https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#windows-registry-settings-111

For configuration propagation by GPO, see the following pages of the Microsoft documentation :

• https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AuthServerAllowlist&Language=fr-fr
• https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AuthNegotiateDelegateAllowlist&Language=fr-fr

Chrome

Google Chrome is configured manually on the workstation:

• Run Regedit as administrator
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome and create the missing keys if necessary.
• Create a value of type "String value (REG_SZ)", with name AuthServerAllowlist and value bluemind.domain.tld.
• Restart Chrome for the change to take effect.

In the event of a malfunction, ensure that the policy is taken into account:

• Start Chrome
• Enter chrome://policy in the URL field
• Check that the AuthServerAllowlist policy appears in the "Chrome Policies" section, with the value entered above. If not, click on Reload strategies. If it still doesn't appear, check that you have modified the register as described above.

For more information on Chrome strategies, see the Goole documentation :

• https://chromeenterprise.google/policies/?policy=AuthServerAllowlist

For configuration propagation by GPO, see the following page of the Google documentation:

• https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::AuthServerWhitelist&Language=fr-fr

Find out more

For further information, please consult the following pages:

• http://sammoffatt.com.au/jauthtools/Kerberos/Browser_Support
• https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/intranet-site-identified-as-an-internet-site