Jump to content
Kaspersky Support Forum

How to configure Single-Sign-On For KATA 4.1/5+/6+ [KATA/KEDRE]

svc_kms

Entry posted by svc_kms in How-to

7 views

 Share

There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain.

Prerequisites

  • Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab
    It can be checked via Settings/Network Settings of Central Node.
    image.thumb.png.1fad5025d9697a41de6ccd5b929bc727.png
  • A and PTR record should be set for Central Node in DNS.
  • Domain User Account should be created to set up Kerberos authentication by means of keytab file (in current case Domain User Account is kata-sign-on).
  • AES256-SHA1 encryption algorithm should be enabled into created Domain User Account.

Step-by-step guide to create keytab file

On Domain Controller:

  1. Launch CMD As Administrator

  2. Execute the following command to create keytab file

    C:\Windows\system32\ktpass.exe -princ HTTP/kata-cn.home.lab@HOME.LAB -mapuser kata-sing-on@HOME.LAB -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\TEMP\kata-sgn-on.keytab


    The utility requests the kata-sign-on user password when executing the command.
    The SPN of the selected server is added to the created keytab file. The generated salt is displayed on the screen: Hashing password with salt "<hash value>"

For multiple Central Node servers you need to save "<hash value>" of hashing password to add an SPN for each subsequent Central Node servers further using ktpass.exe utility. 

On Central Node Web Interface

  1. Move to Settings/Users/Active Directory Integration
  2. Add the created keytab file:
    1. Keytab file status section contains File which contains SPN for this server 
    2. The file contains section HTTP/*****@*****.tld

image.thumb.png.a1a28b58284c4b047f5c5761c0596de0.png

  1. Under Users tab click Add and select Domain user account. 
  2. Set domain user as  <username>@<domain>

On client machine

Host should be joined to the same domain. Domain user should be logged in with account added into the Central Node.

  1. Open Control Panel/Internet Options
  2. Click on Security and select Local Intranet
  3. Click on Sites and then on Advanced
  4. Add FQDN of central node - kata-cn.home.lab
  5. Close windows:

image.thumb.png.a4f2ff3fdbfd8e1c4afe2b41b8f245b8.png

Launch Web Browser and access to Web Interface of the Central Node https://kata-cn.home.lab:8443 and it should be opened without asking any Login/Password.

 Share

0 Comments

Recommended Comments

There are no comments to display.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...