How to configure Single-Sign-On For KATA 4.1/5+ [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5.0 into HOME.LAB domain.

Prerequisites

• Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab) 
  It can be checked via Settings/Network Settings of Central Node.
  
• A and PTR record should be set for Central Node in DNS.
• Domain User Account should be created to set up Kerberos authentication by means of keytab file (in current case Domain User Account is kata-sign-on).
• AES256-SHA1 encryption algorithm should be enabled into created Domain User Account.

Step-by-step guide to create keytab file

On Domain Controller:

1. Launch CMD As Administrator

2. Execute the following command to create keytab file

   C:\Windows\system32\ktpass.exe -princ HTTP/kata-cn.home.lab@HOME.LAB -mapuser kata-sing-on@HOME.LAB -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\TEMP\kata-sgn-on.keytab

   
   The utility requests the kata-sign-on user password when executing the command.
   The SPN of the selected server is added to the created keytab file. The generated salt is displayed on the screen: Hashing password with salt "<hash value>"

For multiple Central Node servers you need to save "<hash value>" of hashing password to add an SPN for each subsequent Central Node servers further using ktpass.exe utility. 

On Central Node Web Interface

1. Move to Settings/Users/Active Directory Integration
2. Add the created keytab file:
   1. Keytab file status section contains File which contains SPN for this server 
   2. The file contains section HTTP/*****@*****.tld

1. Under Users tab click Add and select Domain user account. 
2. Set domain user as  <username>@<domain>

On client machine

Host should be joined to the same domain. Domain user should be logged in with account added into the Central Node.

1. Open Control Panel/Internet Options
2. Click on Security and select Local Intranet
3. Click on Sites and then on Advanced
4. Add FQDN of central node - kata-cn.home.lab
5. Close windows:

Launch Web Browser and access to Web Interface of the Central Node https://kata-cn.home.lab:8443 and it should be opened without asking any Login/Password.