Skip to main content

Setting up SSO Kerberos

This article describes how to enable BlueMind to recognize Kerberos authentication in a Windows infrastructure.

How Kerberos authentication works

Kerberos' authentication enables users with a Windows account already associated with their BlueMind account (via an AD import) to authenticate automatically, without having to go through a login screen (SSO).

To do this:

  • the user must be in a Windows session on the domain with which Kerberos SSO has been activated

    Multi-domain installation
    In the case of Multi-domain Messaging, each domain can have its own Kerberos configuration. If Kerberos is configured on several domains, each domain must have its own URL
    If Kerberos is configured on 1 domain only, use the global URL

  • the user must use a browser where SPNEGO is active for the BlueMind global URL

Kerberos configuration

configuration data

In the rest of this documentation, we consider the following elements:

  • BlueMind's external URL (global URL): bluemind.domain.tld

  • Active Directory server (IP address or name of Windows domain AD server): ad.domain.tld

  • Active Directory domain (or realm, corresponds to the Windows domain in uppercase): DOMAIN.TLD

    ⚠️ Add the AD domain to the BM domain aliases if different from the BM domain name.

global url

All Kerberos configuration is done with the global URL. Do not use the URL of the domain concerned, either to generate the keytab file (and setspn), or for client configuration, even when Kerberos is configured on several domains.

Consequently, if the global URL is modified (see External URL Configuration), all keytabs (and setspn) must be re-generated, and all clients reconfigured with the new global URL.

Generate Keytab file

The keytab file is generated in 2 stages.

Open a cmd.exe console, then :

  1. Create a user dedicated to Kerberos authentication in ActiveDirectory

    1. Enable the "This account supports Kerberos AES 256 bit encryption" option in the "Account" tab:
    2. Add the role to the user by running the following command:
      where username = bmkrb; password = krbpwd.
    setspn -A HTTP/bluemind.domain.tld bmkrb

    The command should return a result equivalent to the following rows:

    Registering ServicePrincipalNames for CN=bmkrb,CN=Users,DC=domain,DC=tld
    	HTTP/bluemind.domain.tld
    Updated object

  2. Create the keytab file with the following command:

    ktpass /out C:\bluemind.keytab
              /mapuser bmkrb@DOMAIN.TLD  
              /princ HTTP/bluemind.domain.tld@DOMAIN.TLD  
              /pass krbpwd 
              /kvno 0 
              # paramètre optionnel, voir la remarque "Key Version Number" ci-après
              /ptype KRB5_NT_PRINCIPAL

    The result should look like the following rows:

    Targeting domain controller: AD.domain.tld
    Using legacy password setting method
    Successfully mapped HTTP/bluemind.domain.tld to bmkrb.
    Output keytab to C:\bluemind.keytab
Key Version Number

The Kvno (Key Version Number) parameter is used to manage multiple keys for a user.

The value of the ktpass command (/kvno 0) given in the examples above is a generic value, which will work in most cases. However, this value can be blocking depending on the users and any keys already present or in use. Only the AD administrator knows exactly what this information is.

It is possible not to specify this parameter. In this case, a new key will be created automatically with the version number following the one already present in the AD for this account.

For more information on the Kvno parameter, see the Microsoft documentation on the ktpass command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

Activation via the administration console

  1. In the administration console, go to System management > Supervised domains > choose domain > Security tab.
  2. Select the Kerberos authentication mode and fill in the associated form:
    • Active Directory domain
    • Active Directory server
    • Active Directory keytab file: check the box and select the previously created file
  3. Click on "Save" to save your changes.

Customer configuration

When the AD domain is different from the BlueMind domain, the client web browser may not trust the BlueMind domain. The BlueMind url access must therefore be added as a trusted site in the web browser.

Firefox

Manual configuration

To add a trusted site, you need to access the browser settings :

  • in the web browser address bar, type:

    about:config

  • Validate the warning by clicking on "Accept the risk and continue".

  • In the search box, type:

    trusted

  • Double-click on the network.negotiate-auth.trusted-uris parameter or click on the pencil at the end of the line to edit it.

  • Enter the BlueMind domain address (here bluemind.domain.tld) and confirm.

    💡 The parameter appears in bold: this means that it has been modified, and no longer has its default value.

  • Restart Firefox for the change to take effect.

GPO configuration

Here is an example of how to configure GPOs for Firefox :

  1. Add "Windows policies" to the AD server

    1. Download templates in ADMX format here: https://github.com/mozilla/policy-templates/releases

    2. Put them in ``\Windows\PolicyDefinitions```

      💡 The .admx files are in the root directory and the .adml files in the corresponding language folders.

  2. Set up the Kerberos-specific GPO

    1. Go to : Computer configuration > Policies > Administrative templates > Mozilla > Firefox > Authentication

    2. Find and open the "SPNEGO" parameter

    3. Press "Activate"

    4. In the "Options" field, press "Display" and enter the address of the desired network resource

      ℹ️ If several addresses are to be entered, enter one address per row.

    5. Press the "OK" button to close the windows with the changes applied


For more information on GPO configuration, please refer to the following documentation:

As well as Firefox documentation:

Microsoft Edge

Manual configuration

Microsoft Edge is configured manually on the workstation:

  • Run Regedit as administrator
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge and create the missing registry keys if necessary.
  • Create a value of type "String value (REG_SZ)", with name AuthServerAllowlist and value bluemind.domain.tld.
  • Restart Edge for the change to take effect.

In the event of a malfunction, ensure that the policy is taken into account:

  • Start Edge
  • Enter edge://policy in the URL field
  • Check that the AuthServerAllowlist policy appears in the "Microsoft Edge Policies" section, with the value entered above. If not, click on Reload strategies. If it still doesn't appear, check that you have modified the register as described above.

For more information on Edge strategies, see the Microsoft documentation :

GPO configuration

Here is an example of how to configure GPOs for Edge:

  1. Add "Windows policies" to the AD server

    1. Download templates in ADMX format here: https://www.microsoft.com/en-en/edge/business/download?cs=4134690573&form=MA13FJ

    2. Put them in ``\Windows\PolicyDefinitions```

      💡 The .admx files are in the root directory and the .adml files in the corresponding language folders.

  2. Set up the Kerberos-specific GPO

    1. Go to : Computer configuration > Administrative templates > Microsoft Edge > HTTP authentication

    2. Find and open the "Configure list of authorized authentication servers" parameter

    3. Press "Activate"

    4. In the "Options" field, enter the address of the desired network resource

      ℹ️ If several addresses are to be entered, separate them with commas

    5. Press the "OK" button to close the windows with the changes applied


For more information on GPO configuration, please refer to the following documentation:

Chrome

Manual configuration

Google Chrome is configured manually on the workstation:

  • Run Regedit as administrator
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome and create the missing keys if necessary.
  • Create a value of type "String value (REG_SZ)", with name AuthServerAllowlist and value bluemind.domain.tld.
  • Restart Chrome for the change to take effect.

In the event of a malfunction, ensure that the policy is taken into account:

  • Start Chrome
  • Enter chrome://policy in the URL field
  • Check that the AuthServerAllowlist policy appears in the "Chrome Policies" section, with the value entered above. If not, click on Reload strategies. If it still doesn't appear, check that you have modified the register as described above.

For more information on Chrome strategies, see the Google documentation:

GPO configuration

Here is an example of how to configure GPOs for Chrome :

  1. Add "Windows policies" to the AD server

    1. Download templates in ADMX format here: https://support.google.com/chrome/a/answer/187202?hl=fr#zippy=%2Cwindows

    2. Put them in ``\Windows\PolicyDefinitions```

      💡 The .admx files are in the root directory and the .adml files in the corresponding language folders.

  2. Set up Kerberos-specific GPO

    1. Go to : Computer configuration > Administrative templates > Google > Google Chrome > HTTP authentication

    2. Find and open the "Authentication server authorization list" parameter

    3. Press "Activate"

    4. In the "Options" field, enter the address of the desired network resource

      ℹ️ If several addresses are to be entered, separate them with commas

    5. Press the "OK" button to close the windows with the changes applied


For more information on GPO configuration, please refer to the following documentation:

Find out more

Related BlueMind documentation pages

See the following pages

Last updated on