Kerberos Configuration
Some applications support single sign-on (SSO) for users, so they don't have to enter their Windows (in most environments Active Directory / LDAP) credentials again, but the application itself takes the local Kerberos ticket from the Windows session to authenticate against the server, which then confirms the ticket against the domain controller. The PowerFolder client supports Kerberos as well and we are going to describe here, how to configure it.
Kerberos is only working on Windows servers and with Windows clients at the moment!
Domain Controller Configuration
To configure Single Sign-On via Kerberos, you need to configure your domain controller.
- Create a user account in your Active Directory, named after the machine, where PowerFolder Server will be installed.
- Set a password for the new user account.
- Right-click the user account and go to Properties > Account > Account options and enable the checkbox for This account supports Kerberos AES 128 bit encryption.
Open a command prompt and enter the following two commands:
Configuration of the Domain Controllersetspn -a service/fqdn@REALM username ktpass /princ "service/fqdn@REALM" /ptype KRB5_NT_SRV_HST /crypto AES128-SHA1 /mapuser "username"
The Service Principal Name
service/fqdn@realm
is comprised of three parts. In this schemaservice
indicates the name of the software service. It is simply a name and can be something as HTTP, ldap or powerfolder. We recommendkrbsrvpf
as the service name. Thefqdn
ist the fully qualified domain name of the host where PowerFolder Server will be installed, e.g.pfserver.example.com
. Therealm
is the same as the domain name of your Active Directory and should be written UPPERCASE, .e.g.EXAMPLE.COM
. Theusername
you've already created in the steps before.- That's it for the domain controller configuration.
Service Host Configuration
After installing the PowerFolder Server on your machine, you need to set up a key table using the command prompt.
"C:\Program Files\PowerFolder.com\PowerFolder-Server\jre\bin\ktab" -k C:\ProgramData\PowerFolder\keytab -a "krbsrvpf/pfserver.example.com@EXAMPLE.COM" -n 0
The command will ask you for a password. Please enter the same password you assigned when creating the user account in Active Directory.
Please verify that the file keytab
has been created in the C:\ProgramData\PowerFolder directory.
After creating the key table, you need to configure Kerberos SSO as an admin in the PowerFolder web interface:
- Login as an admin to the web interface.
- Click on Preferences > Authentication > Kerberos.
- Enable the checkbox for Enable Single Sign-On via Kerberos.
- Enter the realm in the Domain name field (needs to be UPPERCASE), e.g.
EXAMPLE.COM
.
Enter the fully qualified domain name of your domain controller in the Key Distribution Center field, e.g.dc1.example.com
.
Enter the service principal name you've created before without the realm in the Service Principal Name field, e.g.krbsrvpf/pfserver.example.com
. - Save the prefences and restart the service.
Client Configuration
To user Single Sign-On via Kerberos on the client side, you need to start the installer with a command line option:
PowerFolder_Generic_Latest_Installer.exe /KERBEROS
After the installation you can launch the client. It should now automatically log in to the PowerFolder Server.
At the end after all the steps above please reset the password of the user account in your active directory, where PowerFolder Server is installed!
Kerberos SSO doesn't work if the user belongs to the administrators group on the machine!