Kerberos is a network authentication, allowing nodes to communicate using an invisible network and to securely make their identity known to each other. Kerberos is the recommended method for user authentication in Microsoft® Windows networks. In addition, it is widely used with Linux operating systems and is designed for use with all major platforms.
Procedure
If you do not have a Kerberos configuration file, take the kbr5.conf from your installation media under Add-ons\Kerberos. Name it, for example, krb5.conf, add the following lines, and adjust the configuration to meet your requirements.
[libdefaults]
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
If the Service Principal Name in the keytab is, for example, mypc01@MY.DOMAIN.COM, the values of the property com.company.aris.umc.kerberos.servicePrincipalName must contain the Service Principal Name exactly as specified in the keytab file.
Example: MYDOMAIN.COM.
The debug output of the program that the user wishes to log into is saved in the file system.out of the respective program. For user management, for example, this is located in the directory <ARIS installation directory>/work_umcadmin_m/base/logs.
You have configured SSO using Kerberos in ARIS Administration.
You can use Kerberos with multiple LDAP systems.
Client configuration
Configure the browser settings to allow SSO. SSO has been tested with the following browsers:
Prerequisite
You need to empty the Kerberos ticket cache of each client first, in order to avoid obsolete tickets if Microsoft® Active Directory Domain Services were changed. Delete the Kerberos ticket cache by executing the command klist.exe purge. If the purge program is not available on the client computer, you can also simply log off the client computer from the domain and log in again.
Microsoft® Internet Explorer®
Microsoft® Internet Explorer® supports Kerberos authentication only if the ARIS Server is part of your local intranet.
Procedure
Mozilla Firefox®
In Mozilla Firefox®, you can define trustworthy sites using the computer name, IP address, or a combination of both. You can use wildcards.
Procedure
If you prefer to use an encryption stronger than AES 128bit and this is allowed in your country, replace the JCE Policy file of the JDK of your ARIS Server with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6. This allows unlimited key length.
If you cannot replace the Policy files, but still want to use SSO, you need to apply a procedure allowed by the JDK for encrypting Kerberos tickets, for example, AES 128bit.