...
- Create a user account in your Active Directory, named after the machine, where PowerFolder Server will be installed.
- Set a password for the new user account.
- Right-click the user account and go to Properties > Account > Account options and enable the checkbox for This account supports Kerberos AES 128 bit encryption.
Open a command prompt and enter the following two commands:
Code Block title Configuration of the Domain Controller setspn -a service/fqdn@REALM username ktpass /princ "service/fqdn@REALM" /ptype KRB5_NT_SRV_HST /crypto AES128-SHA1 /mapuser "username"
The Service Principal Name service/fqdn@realmis comprized is comprised of three parts. In this schemaserviceindicates the name of the software service. It is simply a name and can be something as httpHTTP, ldap or powerfolder. We recommendkrbsrvpfas the service name. Thefqdnist the fully qualified domain name of the host where PowerFolder Server will be installed, e.g.pfserver.example.com. Therealmis the same as the domain name of your Active Directory and should be written UPPERCASE, .e.g.EXAMPLE.COM. Theusernameyou've already created in the steps before.
That's it for the domain controller configuration.
...
| Code Block | ||
|---|---|---|
| ||
"C:\Program Files\PowerFolder.com\PowerFolder-Server\jre\bin\ktab" -k C:\ProgramData\PowerFolder\keytab -a "krbsrvpf/pfserver.example.com@EXAMPLE.COM" -n 0 |
The command will ask you for a password. Please enter the same password you assigned when creating the user account in Active Directory.
Please verify that the file keytab has been created in the C:\ProgramData\PowerFolder directory.
...
After the installation you can launch the client. It should now automatically log in to the PowerFolder Server.
At the end after all the steps above please reset the password of the user account in your active directory, where PowerFolder Server is installed!
Kerberos SSO doesn't work if the user belongs to the administrators group on the machine!