You are here: About Kerberos > Installing the Kerberos add-on

Installing the Kerberos add-on

Installing the Kerberos add-on comprises:

In the following task:

<AD_SAMAccountName> is the Active Directory Security Accounts Manager account name

<KronodocServerName> is the name of the Project Portal server

<REALM> is the domain name

<SSOUser> is the account name that you create in step 4

<SSOUserPassword> is the password for the account that you created in step 4

<SSOServerURL> is the URL of the single sign-on server, the Project Portal server

To install the Kerberos add-on:

  1. If not done already, synchronize the Active Directory server and Project Portal server clocks, preferably to the same NTP server.

  2. On the Project Portal server, configure /etc/kerb5.conf. You can test this by running the following command line:

    kinit -V <AD_SAMAccountName>@<REALM>
klist

  3. Depending on the Project Portal version, verify that Project Portal infra is installed correctly:

    4.0: /usr/kronodoc/apache/kb4000/modules/mod_auth_kerb.so

    2012: yum install mod_auth_kerb

  4. Create a user account in Active Directory that will be used for the Project Portal single sign-on service.

  5. Log on as a domain administrator and create the keytab file on the Active Directory server by running the following command line:

    ktpass.exe -princ HTTP/<KronodocServerName>@<REALM> -mapuser <SSOUser>@<REALM> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass <SSOUserPassword> -out http_kronodoc.keytab

  6. Check the Service Pricipal Name (SPN) of the user account that you created in step 4 by running the following command line:

    setspn <SSOUser>@<REALM>

    Verify that multiple SPNs do not exist. If more than one is found, delete the wrong ones by running the following command line:

    setspn -d <WrongUser>

  7. Test the keytab file on the Project Portal server by running the following command line:

    kinit -k -t <KeytabFilePath> HTTP/<KronodocServerName>@<REALM>

  8. Copy the keytab file to the following location:

    httpd/conf/http_kronodoc.keytab

  9. Set access to the keytab file by running the following command line so that the user account that runs Project Portal can read the file:

    chmod 600 httpd/conf/http_kronodoc.keytab

  10. Install the Active Directory add-on by adding the following line to the main configuration file:

    $::usermgmt_multisource = 1;

    The location of the configuration file depends on the Project Portal version:

    4.0: conf/config.pm

    2012: conf/instconfig.pm

  11. Install the Kerberos add-on.

  12. Test the installation by running the following command lines:

    kinit <AD_SAMAccountName>@<REALM>
curl -k -v -u<AD_SAMAccountName>@<REALM>: --negotiate "<SSOServerURL>/sso/index.pl?ticket_for_server=<SSOServerURL>&callback=f"

Copyright © 2000-2014 BlueCielo ECM Solutions

www.bluecieloecm.com