Kerberos Configuration for SSO

< enportal | 5.6 | admin | user administration | sso

Page Contents

1. Overview

Kerberos authentication differs from basic, NTLM, and custom (application specific) authentication as enPortal also needs to communicate both with the proxied web application and the Kerberos authentication server as shown in the diagram below.

For configuration purposes managing SSO tokens is exactly the same as for the other authentication types. Kerberos does require an additional configuration file however which contains details about the authentication Domain and servers.

SSO with Kerberos

2. Configuring Kerberos

2.1. Pre-requisite

enPortal must be able to communicate with the KDC as configured in the Server Configuration below. By default this would require access from the enPortal server to the KDC on port 88.

2.2. Server Configuration: krb5.conf

For enPortal to perform Kerberos authentication it requires information about the authentication realm / domain and the actual kerberos servers to communicate with.

  1. Create or edit the file: [INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/krb5.conf
  2. Use the following as a basic template and update the details to reflect the installation environment:
      default_realm = AD.EXAMPLE.NET
      udp_preference_limit = 1
      AD.EXAMPLE.NET = {
          kdc = KDC.AD.EXAMPLE.NET
  1. Restart enPortal.

By default this file is automatically included in full system backups.

2.3. Managing SSO

The steps for managing SSO tokens at this point are the same as for the other authentication types, refer to the main SSO documentation for further information.

2.4. Additional Logging

When setting up Kerberos for the first time, or trying to understand authentication issues, it may be useful to turn on additional logging:

  1. Create or edit the file: [INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/
  2. Add the following on a new line: crs.kerberos.debug=true
  3. Save the file.
  4. Restart enPortal.

With this flag enabled a lot of additional debug information will be logged to catalina.out. This setting should not be used in production.