|
To configure Single Sign-On via Kerberos, you need to configure your domain controller.
Open a command prompt and enter the following two commands:
setspn -a service/fqdn@REALM username ktpass /princ "service/fqdn@REALM" /ptype KRB5_NT_SRV_HST /crypto AES128-SHA1 /mapuser "username" |
The Service Principal Name service/fqdn@realm
is comprised of three parts. In this schema service
indicates the name of the software service. It is simply a name and can be something as HTTP, ldap or powerfolder. We recommend krbsrvpf
as the service name. The fqdn
ist the fully qualified domain name of the host where PowerFolder Server will be installed, e.g. pfserver.example.com
. The realm
is the same as the domain name of your Active Directory and should be written UPPERCASE, .e.g. EXAMPLE.COM
. The username
you've already created in the steps before.
After installing the PowerFolder Server on your machine, you need to set up a key table using the command prompt.
"C:\Program Files\PowerFolder.com\PowerFolder-Server\jre\bin\ktab" -k C:\ProgramData\PowerFolder\keytab -a "krbsrvpf/pfserver.example.com@EXAMPLE.COM" -n 0 |
The command will ask you for a password. Please enter the same password you assigned when creating the user account in Active Directory.
Please verify that the file keytab
has been created in the C:\ProgramData\PowerFolder directory.
After creating the key table, you need to configure Kerberos SSO as an admin in the PowerFolder web interface:
EXAMPLE.COM
.dc1.example.com
.krbsrvpf/pfserver.example.com
.To user Single Sign-On via Kerberos on the client side, you need to start the installer with a command line option:
PowerFolder_Generic_Latest_Installer.exe /KERBEROS |
After the installation you can launch the client. It should now automatically log in to the PowerFolder Server.
At the end after all the steps above please reset the password of the user account in your active directory, where PowerFolder Server is installed!
Kerberos SSO doesn't work if the user belongs to the administrators group on the machine!