Use Kerberos

Kerberos is a network authentication, allowing nodes to communicate using an invisible network and to securely make their identity known to each other. Kerberos is the recommended method for user authentication in Microsoft® Windows networks. In addition, it is widely used with Linux operating systems and is designed for use with all major platforms.

Procedure

  1. Start ARIS Connect.
  2. Click <user name> and select Administration.
  3. Click Configuration Configuration.
  4. Click User management.
  5. Click the arrow next to Kerberos.
  6. Activate the General configuration category.

    If you do not have a Kerberos configuration file, take the kbr5.conf from your installation media under Add-ons\Kerberos. Name it, for example, krb5.conf, add the following lines, and adjust the configuration to meet your requirements.

    [libdefaults]

    default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

    default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

    permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

  7. To upload the configuration file, click Upload Upload under the Configuration file field.
  8. Click Edit Edit.
  9. Enable Use Kerberos.
  10. In the Principal field, enter the technical user name given by the administrator.

    If the Service Principal Name in the keytab is, for example, mypc01@MY.DOMAIN.COM, the values of the property com.company.aris.umc.kerberos.servicePrincipalName must contain the Service Principal Name exactly as specified in the keytab file.

  11. In the Realm field, configure the realm for the Kerberos service. Enter the fully qualified domain name in uppercase letters.

    Example: MYDOMAIN.COM.

  12. In the KDC field, configure the fully qualified name of the KDC to be used.
  13. Optional:
    1. Click Advanced settings.
    2. Enable Debug output.

      The debug output of the program that the user wishes to log into is saved in the file system.out of the respective program. For user management, for example, this is located in the directory <ARIS installation directory>/work_umcadmin_m/base/logs.

You have configured SSO using Kerberos in ARIS Administration.

You can use Kerberos with multiple LDAP systems.

Client configuration

Configure the browser settings to allow SSO. SSO has been tested with the following browsers:

Prerequisite

You need to empty the Kerberos ticket cache of each client first, in order to avoid obsolete tickets if Microsoft® Active Directory Domain Services were changed. Delete the Kerberos ticket cache by executing the command klist.exe purge. If the purge program is not available on the client computer, you can also simply log off the client computer from the domain and log in again.

Microsoft® Internet Explorer®

Microsoft® Internet Explorer® supports Kerberos authentication only if the ARIS Server is part of your local intranet.

Procedure

  1. Start Microsoft® Internet Explorer®.
  2. Click Tools > Internet Options.
  3. Activate the Security tab and click Local Intranet.
  4. Click Sites, and select Advanced.
  5. Add the URL of the ARIS Server that was configured for SSO. Add the DNS host name and the IP address of the ARIS Server.
  6. Optional: Disable the Require server verification (https:) for all sites in this zone check box.
  7. Click Close, and select OK.
  8. Click Custom level and make sure that no user-defined settings affect your new settings.
  9. Find the User Authentication section. Verify whether the Automatic logon only in Intranet zone option is enabled.
  10. Click OK.
  11. Close and restart Microsoft® Internet Explorer®.

Mozilla Firefox®

In Mozilla Firefox®, you can define trustworthy sites using the computer name, IP address, or a combination of both. You can use wildcards.

Procedure

  1. Start Mozilla Firefox®.
  2. Enter about:config in the address box and press Enter. Confirm a message, if required.
  3. Enter network.negotiate in the Search box and press Enter, if required.
  4. Double-click network.negotiate-auth.trusted-uris.
  5. Enter the computer name or the IP address of the ARIS Server that you configured for SSO, and click OK.
  6. Close and restart Mozilla Firefox®.

If you prefer to use an encryption stronger than AES 128bit and this is allowed in your country, replace the JCE Policy file of the JDK of your ARIS Server with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6. This allows unlimited key length.

If you cannot replace the Policy files, but still want to use SSO, you need to apply a procedure allowed by the JDK for encrypting Kerberos tickets, for example, AES 128bit.