Skip to main content

Setting up SSO Kerberos

This article describes how to enable BlueMind to recognize Kerberos authentication in a Windows infrastructure.

How Kerberos authentication works

Kerberos' authentication enables users with a Windows account already associated with their BlueMind account (via an AD import) to authenticate automatically, without having to go through a login screen (SSO).

To do this:

  • the user must be in a Windows session on the domain with which Kerberos SSO has been activated

    Multi-domain installation
    In the case of Multi-domain Messaging, each domain can have its own Kerberos configuration. If Kerberos is configured on several domains, each domain must have its own URL
    If Kerberos is configured on 1 domain only, use the global URL

  • the user must use a browser where SPNEGO is active for the BlueMind global URL

Kerberos configuration

configuration data

In the rest of this documentation, we consider the following elements:

  • BlueMind's external URL (global URL): bluemind.domain.tld

  • Active Directory server (IP address or name of Windows domain AD server): ad.domain.tld

  • Active Directory domain (or realm, corresponds to the Windows domain in uppercase): DOMAIN.TLD

    ⚠️ Add the AD domain to the BM domain aliases if different from the BM domain name.

global url

All Kerberos configuration is done with the global URL. Do not use the URL of the domain concerned, either to generate the keytab file (and setspn), or for client configuration, even when Kerberos is configured on several domains.

Consequently, if the global URL is modified (see External URL Configuration), all keytabs (and setspn) must be re-generated, and all clients reconfigured with the new global URL.

Generate Keytab file

The keytab file is generated in 2 stages.

Open a cmd.exe console, then :

  1. Create a user dedicated to Kerberos authentication in the ActiveDirectory by running the following command:
    where user name = bmkrb; password = krbpwd.

    setspn -A HTTP/bluemind.domain.tld bmkrb

    The command should return a result equivalent to the following rows:

    Registering ServicePrincipalNames for CN=bmkrb,CN=Users,DC=domain,DC=tld
    	HTTP/bluemind.domain.tld
    Updated object

  2. Create the keytab file with the following command:

    ktpass /out C:\bluemind.keytab
               /mapuser bmkrb@DOMAIN.TLD  
               /princ HTTP/bluemind.domain.tld@DOMAIN.TLD  
               /pass krbpwd 
               /kvno 0 
               /ptype KRB5_NT_PRINCIPAL

    The result should look like the following rows:

    Targeting domain controller: AD.domain.tld
    Using legacy password setting method
    Successfully mapped HTTP/bluemind.domain.tld to bmkrb.
    Output keytab to C:\bluemind.keytab

Activation via the administration console

  1. In the administration console, go to System management > Supervised domains > choose domain > Security tab.
  2. Select the Kerberos authentication mode and fill in the associated form:
    • Active Directory domain
    • Active Directory server
    • Active Directory keytab file: check the box and select the previously created file
  3. Click on "Save" to save your changes.

Customer configuration

When the AD domain is different from the BlueMind domain, the client web browser may not trust the BlueMind domain. The BlueMind url access must therefore be added as a trusted site in the web browser.

Firefox

To add a trusted site, you need to access the browser settings :

  • in the web browser address bar, type:

    about:config

  • Validate the warning by clicking on "Accept the risk and continue".

  • In the search box, type:

    trusted

  • Double-click on the network.negotiate-auth.trusted-uris parameter or click on the pencil at the end of the line to edit it.

  • Enter the BlueMind domain address (here bluemind.domain.tld) and confirm.

    💡 The parameter appears in bold: this means that it has been modified, and no longer has its default value.

  • Restart Firefox for the change to take effect.

Microsoft Edge

Microsoft Edge is configured manually on the workstation:

  • Run Regedit as administrator
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge and create the missing registry keys if necessary.
  • Create a value of type "String value (REG_SZ)", with name AuthServerAllowlist and value bluemind.domain.tld.
  • Restart Edge for the change to take effect.

In the event of a malfunction, ensure that the policy is taken into account:

  • Start Edge
  • Enter edge://policy in the URL field
  • Check that the AuthServerAllowlist policy appears in the "Microsoft Edge Policies" section, with the value entered above. If not, click on Reload strategies. If it still doesn't appear, check that you have modified the register as described above.

For more information on Edge strategies, see the Microsoft documentation :

For more information on GPO configuration, please refer to the following documentation:

Chrome

Google Chrome is configured manually on the workstation:

  • Run Regedit as administrator
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome and create the missing keys if necessary.
  • Create a value of type "String value (REG_SZ)", with name AuthServerAllowlist and value bluemind.domain.tld.
  • Restart Chrome for the change to take effect.

In the event of a malfunction, ensure that the policy is taken into account:

  • Start Chrome
  • Enter chrome://policy in the URL field
  • Check that the AuthServerAllowlist policy appears in the "Chrome Policies" section, with the value entered above. If not, click on Reload strategies. If it still doesn't appear, check that you have modified the register as described above.

For more information on Chrome strategies, see the Google documentation:

For more information on GPO configuration, please refer to the following documentation:

Find out more

Related BlueMind documentation pages

See the following pages

Last updated on