{"id":28406,"date":"2024-03-19T11:42:56","date_gmt":"2024-03-19T08:42:56","guid":{"rendered":"https:\/\/trueconf.com/blog\/?p=28406"},"modified":"2024-10-04T19:50:51","modified_gmt":"2024-10-04T16:50:51","slug":"configuration-of-kerberos-sso-in-trueconf-server","status":"publish","type":"post","link":"https:\/\/trueconf.com/blog\/knowledge-base\/configuration-of-kerberos-sso-in-trueconf-server","title":{"rendered":"Configuration of Kerberos SSO in TrueConf Server"},"content":{"rendered":"<p>TrueConf Server supports password-free authentication with the help of single sign-on technology and the Kerberos protocol. This feature will be available if the integration with a <a href=\"https:\/\/trueconf.com\/blog\/wiki\/active-directory-ldap\" target=\"_blank\" rel=\"noopener\">directory service is configured via LDAP<\/a>. Read <a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/how-to-setup-user-data-synchronization-between-trueconf-server-and-active-directory.html\" target=\"_blank\" rel=\"noopener\">this article<\/a> to take a look at some examples.<\/p>\n<p><!--more--><\/p>\n<p>The overall guideline for setting up Kerberos SSO includes the following steps:<\/p>\n<ol>\n<li>Add SPN (more details below).<\/li>\n<li>Generate a keytab file.<\/li>\n<li>Apply settings on the server side.<\/li>\n<\/ol>\n<p>In the context of Kerberos SSO, it is important to understand the meaning of <b>Service Principal Name (SPN)<\/b>. What is it? <b>SPN<\/b> is the unique identifier of a service instance. In our case TrueConf Server acts as such a service for the domain controller. SPN consists of several parts:<\/p>\n<pre class=\"lang:default decode:true \">protocol\/server.name@DOMAIN<\/pre>\n<p>The <a href=\"https:\/\/trueconf.com\/docs\/server\/en\/admin\/registration\/#server-name\" target=\"_blank\" rel=\"noopener\">public server name<\/a> specified during registration should be used as <code>service.name<\/code>.<\/p>\n<p><b>Example:<\/b><\/p>\n<pre class=\"lang:default decode:true\">trueconf\/video.example.com@EXAMPLE.COM<\/pre>\n<p>The examples described in this article will be based on the use of the command line. However, you can also use GUI.<\/p>\n<div id=\"ez-toc-container\" class=\"counter-hierarchy ez-toc-transparent\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/trueconf.com/blog\/knowledge-base\/configuration-of-kerberos-sso-in-trueconf-server#Active_Directory\" title=\"Active Directory\">Active Directory<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/trueconf.com/blog\/knowledge-base\/configuration-of-kerberos-sso-in-trueconf-server#FreeIPA\" title=\"FreeIPA\">FreeIPA<\/a><\/li><\/ul><\/nav><\/div>\n<h2>Active Directory<span class=\"ez-toc-section\" id=\"Active_Directory\"><\/span><\/h2>\n<p>In Active Directory (AD) the service principal name (SPN) is linked either to the computer account or user account. We urge you not to link the SPN to the machine where TrueConf Server is deployed because it may have an adverse effect on its work in the domain. To ensure correct work, you will need to create a separate account with certain parameters:<\/p>\n<ul>\n<li>Password change is prohibited<\/li>\n<li>Password lifetime is not restricted.<\/li>\n<\/ul>\n<p>This precaution is very important because otherwise it will be necessary to generate new keytab files linked to the user if the password is either changed or expires.<\/p>\n<p>To configure Kerberos SSO, take these steps:<\/p>\n<ol>\n<li>Run PowerShell as the administrator and import the module for working with the AD service:\n<pre class=\"lang:ps decode:true \">Import-Module ActiveDirectory<\/pre>\n<\/li>\n<li>Assign required values to the following variables:\n<pre class=\"lang:ps decode:true \">$Username = \"kb_user\" # Username\r\n$Password = \"UserPassword!\"# User password\r\n$DisplayName = \"KB_USER\" # User display name\r\n$Path = \"OU=Users,DC=yourdomain,DC=loc\" # Path to the organizational unit where the user will be created.<\/pre>\n<\/li>\n<li>Run this command to create a new service user based on the specified variables:\n<pre class=\"lang:ps decode:true\">New-ADUser -Name $DisplayName -SamAccountName $Username -Path $Path -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true -CannotChangePassword $true<\/pre>\n<\/li>\n<li>Add an SPN and link it to the created user:\n<pre class=\"lang:ps decode:true \">setspn -U -S trueconf\/server.name@yourdomain.loc $Username<\/pre>\n<\/li>\n<li>Generate a keytab file:\n<pre class=\"lang:ps decode:true\">ktpass -princ trueconf\/server.name@YOURDOMAIN.LOC -mapuser $Username -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass $Password -target yourdomain.loc -out \u0421:\\yourdomain.keytab<\/pre>\n<\/li>\n<\/ol>\n<p>Then, go to the TrueConf control panel and configure Kerberos SSO as it is <a href=\"https:\/\/docs.trueconf.com\/server\/en\/admin\/web-config\/#authentication\" target=\"_blank\" rel=\"noopener\">described in the documentation<\/a>.<\/p>\n<h2>FreeIPA<span class=\"ez-toc-section\" id=\"FreeIPA\"><\/span><\/h2>\n<p>In FreeIPA SPN is linked to the current server instance, in other words, to the existing A record of the DNS server. So, if the TrueConf Server instance has not been added, it is the right time to do it. To configure SSO via Kerberos:<\/p>\n<ol>\n<li>Open the terminal and get a ticket (kerberos-ticket) with this command:\n<pre class=\"lang:zsh decode:true \">kinit admin # username of the domain administrator<\/pre>\n<\/li>\n<li>Assign required values to the following variables (without spaces):\n<pre class=\"lang:zsh decode:true\">IP_ADDRESS=10.10.10.10 # service IP address (TrueConf Server instance)\r\nTRUECONF=video.example.net # Full domain name of the server\r\nFREEIPA=freeipa.example.lan # Full domain name of the domain controller<\/pre>\n<\/li>\n<li>Add the TrueConf Server instance with the specified variables by running the command:\n<pre class=\"lang:zsh decode:true \">sudo ipa host-add --force --ip-address=$IP_ADDRESS $TRUECONF<\/pre>\n<\/li>\n<li>Add the SPN service:\n<pre class=\"lang:zsh decode:true\">sudo ipa service-add trueconf\/$TRUECONF<\/pre>\n<\/li>\n<li>To generate a keytab file, run the command:\n<pre class=\"lang:zsh decode:true \">sudo ipa-getkeytab -s $FREEIPA -p trueconf\/$TRUECONF -k trueconf.keytab<\/pre>\n<\/li>\n<\/ol>\n<p>Then go to the TrueConf Server control panel and configure Kerberos SSO as it is <a href=\"https:\/\/docs.trueconf.com\/server\/en\/admin\/web-config\/#authentication\" target=\"_blank\" rel=\"noopener\">described in the documentation<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TrueConf Server supports password-free authentication with the help of single sign-on technology and the Kerberos protocol. This feature will be available if the integration with a directory service is configured via LDAP. Read this article to take a look at some examples.<\/p>\n","protected":false},"author":55,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[260],"tags":[186],"_links":{"self":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/28406"}],"collection":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/comments?post=28406"}],"version-history":[{"count":3,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/28406\/revisions"}],"predecessor-version":[{"id":31675,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/28406\/revisions\/31675"}],"wp:attachment":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/media?parent=28406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/categories?post=28406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/tags?post=28406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}