Configure single sign-on using Kerberos

If you are using LDAP, you can configure SSO (single sign-on). This enables access to all ARIS runnables as soon as a user has logged in once to the domain.

Kerberos is a network authentication, allowing nodes to communicate using an invisible network and to securely make their identity known to each other. Kerberos is the recommended method for user authentication in Microsoft® Windows networks. In addition, it is widely used with Linux operating systems and is designed for use with all major platforms. It is designed to provide a strong authentication for client/server applications, like web applications where the browser is the client. It is also the recommended way to authenticate users in a MS Windows network and it replaces the outdated and relatively insecure NT LAN Manager (NTLM).

Please contact your LDAP administrator before you change any configuration.

Prerequisite

Server

Client

The following steps must be taken to use SSO:

Procedure

  1. A technical user must be created in the Microsoft® Active Directory Domain Services.
  2. A service principal name must be registered on the technical user.
  3. The single sign-on configuration options must be set in ARIS Administration.
  4. The client application must be configured to use single sign-on.

You configured SSO on client side.

Creating a technical user

A technical user is used to validate Kerberos tickets against the Microsoft® Active Directory Domain Services. This user must be created in the Microsoft® Active Directory Domain Services and a keytab file must be created for this user.

A keytab file contains a list of keys and principals. It is used to log on the technical user to the Microsoft® Active Directory Domain Services without being prompted for a password. The most common use of keytab files is to allow scripts to authenticate against the Microsoft® Active Directory Domain Services without human interaction or storing a password in a plain text file. Anyone with read permission on a keytab can use all of the keys contained so you must restrict and monitor permissions on any keytab file you create. The keytab must be recreated when the password of the technical user changes.

A keytab file can be created by passing the following parameters to the ktab.exe JRE command line tool:

ktab -a <TECHUSER_USER_PRINCIPAL_NAME> -n 0 -append -k umc.keytab - for example ktab –a aristechuser@MYDOMAIN.COM –n0 –append –k umc.keytab.

Configuration options in ARIS Administration

You need to configure SSO for the servers.

Prerequisite

You have the Technical configuration administrator function privilege.

Procedure

  1. Start ARIS Connect.
  2. Click Application launcher Application launcher > Administration Administration. The Administration view opens.
  3. Click Configuration Configuration.
  4. Click the arrow next to Kerberos.
  5. Activate the General configuration category.

    If you do not have a Kerberos configuration file, take the kbr5.conf from your installation media under Add-ons\Kerberos. Name it, for example, krb5.conf, add the following lines, and adjust the configuration to meet your requirements.

    [libdefaults]

    default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

    default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

    permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

  6. To upload the configuration file, click Upload Upload under the Configuration file field. You find this file on your installation medium under Add-ons\Kerberos.
  7. Click Edit Edit.
  8. Enable Use Kerberos.
  9. In the Principal field, enter the technical user name given by the administrator.

    If the Service Principal Name in the keytab is, for example, mypc01@MY.DOMAIN.COM, the values of the property com.company.aris.umc.kerberos.servicePrincipalName must contain the Service Principal Name exactly as specified in the keytab file.

  10. In the Realm field, configure the realm for the Kerberos service. Enter the fully qualified domain name in uppercase letters.

    Example: MYDOMAIN.COM.

  11. In the KDC field, configure the fully qualified name of the KDC to be used.
  12. Optional:
    1. Click Advanced settings.
    2. Enable Debug output.

      The debug output of the program that the user wishes to log into is saved in the file system.out of the respective program. For user management, for example, this is located in the directory <ARIS installation directory>/work_umcadmin_m/base/logs.

You have configured SSO using Kerberos in ARIS Administration.

Client configuration

Configure the browser settings to allow SSO. SSO has been tested with the following browsers:

Prerequisite

You need to empty the Kerberos ticket cache of each client first, in order to avoid obsolete tickets if Microsoft® Active Directory Domain Services were changed. Delete the Kerberos ticket cache by executing the command klist.exe purge. If the purge program is not available on the client computer, you can also simply log off the client computer from the domain and log in again.

Microsoft® Internet Explorer®

Microsoft® Internet Explorer® supports Kerberos authentication only if the ARIS Server is part of your local intranet.

Procedure

  1. Start Microsoft® Internet Explorer®.
  2. Click Tools > Internet Options.
  3. Activate the Security tab and click Local Intranet.
  4. Click Sites, and select Advanced.
  5. Add the URL of the ARIS Server that was configured for SSO. Add the DNS host name and the IP address of the ARIS Server.
  6. Optional: Disable the Require server verification (https:) for all sites in this zone check box.
  7. Click Close, and select OK.
  8. Click Custom level and make sure that no user-defined settings affect your new settings.
  9. Find the User Authentication section. Verify whether the Automatic logon only in Intranet zone option is enabled.
  10. Click OK.
  11. Close and restart Microsoft® Internet Explorer®.

Mozilla Firefox®

In Mozilla Firefox®, you can define trustworthy sites using the computer name, IP address, or a combination of both. You can use wildcards.

Procedure

  1. Start Mozilla Firefox®.
  2. Enter about:config in the address box and press Enter. Confirm a message, if required.
  3. Enter network.negotiate in the Search box and press Enter, if required.
  4. Double-click network.negotiate-auth.trusted-uris.
  5. Enter the computer name or the IP address of the ARIS Server that you configured for SSO, and click OK.
  6. Close and restart Mozilla Firefox®.

If you prefer to use an encryption stronger than AES 128bit and this is allowed in your country, replace the JCE Policy file of the JDK of your ARIS Server with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6. This allows unlimited key length.

If you cannot replace the Policy files, but still want to use SSO, you need to apply a procedure allowed by the JDK for encrypting Kerberos tickets, for example, AES 128bit.