...
- Create a user account in your Active Directory, named after the machine, where PowerFolder Server will be installed.
- Set a password for the new user account.
- Right-click the user account and go to Properties > Account > Account options and enable the checkbox for This account supports Kerberos AES 128 bit encryption.
Open a command prompt and enter the following two commands:
Code Block title Configuration of the Domain Controller setspn -a service/fqdn@REALM username ktpass /princ "service/fqdn@REALM" /ptype KRB5_NT_SRV_HST /crypto AES128-SHA1 /mapuser "username"
The Service Principal Name
service/fqdn@realm
is comprized is comprised of three parts. In this schemaservice
indicates the name of the software service. It is simply a name and can be something as httpHTTP, ldap or powerfolder. We recommendkrbsrvpf
as the service name. Thefqdn
ist the fully qualified domain name of the host where PowerFolder Server will be installed, e.g.pfserver.example.com
. Therealm
is the same as the domain name of your Active Directory and should be written UPPERCASE, .e.g.EXAMPLE.COM
. Theusername
you've already created in the steps before.- That's it for the domain controller configuration.
...
Code Block | ||
---|---|---|
| ||
"C:\Program Files\PowerFolder.com\PowerFolder-Server\jre\bin\ktab" -k C:\ProgramData\PowerFolder\keytab -a "krbsrvpf/pfserver.example.com@EXAMPLE.COM" -n 0 |
The command will ask you for a password. Please enter the same password you assigned when creating the user account in Active Directory.
Please verify that the file keytab
has been created in the C:\ProgramData\PowerFolder directory.
...
After the installation you can launch the client. It should now automatically log in to the PowerFolder Server.
At the end after all the steps above please reset the password of the user account in your active directory, where PowerFolder Server is installed!
Kerberos SSO doesn't work if the user belongs to the administrators group on the machine!