Kerberos Configuration

Some applications support single sign-on (SSO) for users, so they don't have to enter their Windows (in most environments Active Directory / LDAP) credentials again, but the application itself takes the local Kerberos ticket from the Windows session to authenticate against the server, which then confirms the ticket against the domain controller. The PowerFolder client supports Kerberos as well and we are going to describe here, how to configure it.

Kerberos is only working on Windows servers and with Windows clients at the moment!

 

 

Overview:

Domain Controller Configuration

To configure Single Sign-On via Kerberos, you need to configure your domain controller.

  1. Create a user account in your Active Directory, named after the machine, where PowerFolder Server will be installed.
  2. Set a password for the new user account.
  3. Right-click the user account and go to Properties > Account > Account options and enable the checkbox for This account supports Kerberos AES 128 bit encryption.
  4. Open a command prompt and enter the following two commands:

    Configuration of the Domain Controller
    setspn -a service/fqdn@REALM username
    ktpass /princ "service/fqdn@REALM" /ptype KRB5_NT_SRV_HST /crypto AES128-SHA1 /mapuser "username"

    (info) The Service Principal Name service/fqdn@realm is comprised of three parts. In this schema service indicates the name of the software service. It is simply a name and can be something as HTTP, ldap or powerfolder. We recommend krbsrvpf as the service name. The fqdn ist the fully qualified domain name of the host where PowerFolder Server will be installed, e.g. pfserver.example.com. The realm is the same as the domain name of your Active Directory and should be written UPPERCASE, .e.g. EXAMPLE.COM. The username you've already created in the steps before.

  5. (tick) That's it for the domain controller configuration.

Service Host Configuration

After installing the PowerFolder Server on your machine, you need to set up a key table using the command prompt.

Configuration of the Service Host
"C:\Program Files\PowerFolder.com\PowerFolder-Server\jre\bin\ktab" -k C:\ProgramData\PowerFolder\keytab -a "krbsrvpf/pfserver.example.com@EXAMPLE.COM" -n 0

(info) The command will ask you for a password. Please enter the same password you assigned when creating the user account in Active Directory.

(warning) Please verify that the file keytab has been created in the C:\ProgramData\PowerFolder directory.

After creating the key table, you need to configure Kerberos SSO as an admin in the PowerFolder web interface:

  1. Login as an admin to the web interface.
  2. Click on Preferences > Authentication > Kerberos.
  3. Enable the checkbox for Enable Single Sign-On via Kerberos.
  4. Enter the realm in the Domain name field (needs to be UPPERCASE), e.g. EXAMPLE.COM.
    Enter the fully qualified domain name of your domain controller in the Key Distribution Center field, e.g. dc1.example.com.
    Enter the service principal name you've created before without the realm in the Service Principal Name field, e.g. krbsrvpf/pfserver.example.com.
  5. Save the prefences and restart the service.

Client Configuration

To user Single Sign-On via Kerberos on the client side, you need to start the installer with a command line option:

Installer command line option for Kerberos
PowerFolder_Generic_Latest_Installer.exe /KERBEROS

After the installation you can launch the client. It should now automatically log in to the PowerFolder Server.

(warning)At the end after all the steps above please reset the password of the user account in your active directory, where PowerFolder Server is installed!

(error) Kerberos SSO doesn't work if the user belongs to the administrators group on the machine!