Configuring Single Sign-On

This guide will lead you through an advanced configuration to enable Single Sign On functionality with Acronis Access.

Note: Single Sign On is only usable in a working domain.

The Single Sign-On functionality allows all valid LDAP users to login to the web interface and desktop client without having to enter their credentials. The user must have an Acronis Access account or LDAP Provisioning must be enabled on the server.

• For the Web Client, this works by Acronis Access displaying a link on the login page that when pressed, will log in the user with the account that he has used to login into his computer.
• For the Desktop Client, the users will only have to enter the Access server's URL. It will automatically log them in with the account that they have used to login into the computer.

  Note: This will work only for the Windows client. Mac support will come in a follow-up release.

On the Acronis Access Server

Configuring Single Sign-On:

Note: It is recommended that Acronis Access is installed by a domain administrator, but it is not mandatory.

Note: The Access Gateway server that is used for SSO MUST be installed on another machine. SSO will not work if the Gateway server is on the same machine as the Access Server.

You will have to edit 2 configuration files and enable the feature from the web interface.

Editing the web.xml file:

1. Navigate to C:\Program Files (x86)\Acronis\Access\Access Server\Web Application\WEB-INF\
2. Find and open the file web.xml. In this file you will set the domain username and password that the SSO service will run under. The account must match the account that you used to register the HTTP service with Kerberos in the On the Domain section above.
3. In web.xml there are two properties that need to be set - the domain username and password that the SSO service will use. Find the following lines:

       <init-param>

           <param-name>spnego.preauth.username</param-name>

           <param-value>yourusername</param-value>

       </init-param>

       <init-param>

           <param-name>spnego.preauth.password</param-name>

           <param-value>yourpassword</param-value>

       </init-param>

4. Replace yourusername with the desired LDAP username.
5. Replace yourpassword with the LDAP password for the LDAP account specified above.

Editing the krb5.conf file:

1. Navigate to C:\Program Files (x86)\Acronis\Access\Common\apache-tomcat-7.0.59\conf
2. Fnd and open the file krb5.conf  
3. In krb5.conf there are only two properties are needed from the administrator:
   1. The domain for single sign-on  (e.g., ACME.COM)

      Note: The domain in krb5.conf must always be in UPPERCASE or Kerberos ticket lookups may fail.

   2. The Kerberos Key Distribution Center's address (typically matches the address of your primary domain controller; e.g., acmedc.ACME.COM)
4. The krb5.conf file that we install looks like this:

       [libdefaults]

           default_realm = ACME.COM

           default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

           default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

           permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

       [realms]

           ACME.COM = {

               kdc = acmedc.ACME.COM

               default_domain = ACME.COM

       [domain_realm]

           .ACME.COM = ACME.COM

5. Replace all instances of ACME.COM with your domain (in uppercase!).
6. Replace the value for "kdc =" with the name of your domain controller. The domain must be written in uppercase. e.g. kdc = yourdc.YOURDOMAIN.COM
7. After the above configuration files are updated the Access Server (the Acronis Access Tomcat service) must be restarted in order for the changes to take effect.

Enabling Single sign-on in the web interface:

1. Open the Acronis Access web interface and log in as an administrator.
2. Expand the General Settings tab and open the LDAP page.
3. At the bottom of the page, enable the checkbox Allow log in from the web client and desktop sync client using existing Windows/Mac login credentials.
4. Press Save.

On the Domain

This is a one-time step that must be performed in order to register the Access Server with the Kerberos server on the domain. We will use 'setspn.exe' to specify which LDAP account will be queried for SSO authentication checks. This account will typically match the LDAP account specified by the administrator in the Acronis Access web interface at General Settings -> LDAP -> LDAP Username / LDAP Password, but this is not mandatory.

Configuring the LDAP account that will handle SSO

1. Open a command prompt.

   Note: You must be logged in with a domain account and have the rights to use setspn

2. Enter the command setspn –s HTTP/computername.domain.com account name

   e.g. If your Access server is installed on ahsoka.acme.com and you want to use john@acme.com as the pre-authenticated LDAP account to grant Kerberos tickets, the command will look like this:

   setspn -s HTTP/ahsoka.acme.com john

   Note: The LDAP account name used in the command above MUST match the account specified by the spnego.preauth.username property in web.xml. You will set this property in the On the Acronis Access Server section below.

3. If your Access server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number.

   e.g. If your server is running on port 444, the command will be:

   setspn -s HTTP/ahsoka.acme.com:444 john

   Note: The HTTP in the commands above refer to the HTTP service class, not the HTTP protocol. The HTTP service class handles both HTTP and HTTPS requests. You do not need to, and should NOT, create an SPN using HTTPS as a service class name.

Configuring the SPN for the Gateway Server

In order for the KDC ("Key Distribution Center") Kerberos server to be able to authenticate users to the gateway server, the gateway service must be registered with the KDC server by running setspn and specifying the hostname of the server on which it is running as the 'user' in the setspn command.

1. Open the command prompt.
2. Enter the following setspn command: setspn -s HTTP/computername.domain.com computername

   For example, if you gateway server is running on host 'cody' in the domain, run this command:

   setspn -s HTTP/cody.acme.com cody

3. If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444:

   setspn -s HTTP/cody.acme.com:444 cody.

4. Restart the Acronis Access Tomcat service.

Verify that the SPN is registered

To query whether the SPN is registered properly:

1. Open an elevated command prompt.
2. Enter the setspn –Q HTTP/computername.domain.com command.

   e.g. setspn -Q HTTP/ahsoka.acme.com

3. To query the SPNs registered to a particular domain user, use the -l (lowercase L) switch;

   e.g. setspn -l john

4. After registering the SPN, before you can authenticate to it with SSO you will need to either reboot the client machine or run this command on the client machine:

   klist purge

On the client's machine

There is a small configuration that must be made on the client machine, for your browser, in order to support Single Sign-On.

Windows:

Note: This needs to be done for each user on each machine.

For Internet Explorer:

• Open Internet Explorer and go to Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced and add the address of your Access server - e.g. https://ahsoka.acme.com (or just *.acme.com) and restart the browser.

For Chrome:

Chrome uses the same settings as Internet Explorer, so once you’ve configure it for SSO, Chrome will just work as well. However, to enable credential delegation, which is necessary for browsing network nodes from the Web interface, you must configure Chrome to allow it (Internet Explorer allows it by default):

1. Open the registry editor (regedit32.exe)
2. Set this registry string value: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome : AuthNegotiateDelegateWhitelist = ahsoka.acme.com

   Note: You can use wildcards, like *.acme.com or just *.

   Note: You might need to create the Google\Chrome keys if they don't already exist.

3. Restart Chrome.

For Firefox:

1. Type about:config in the address bar and press enter.
2. Find and edit the preference network.negotiate-auth.trusted-uris and add https://ahsoka.acme.com , or just .acme.com, [the list is comma-separated].

   Note: To add all subdomains use the format ".example.com" (NOT *.example.com)

3. To enable Network Data Sources support, you will need to also edit network.negotiate-auth.delegation-uris by adding ahsoka.acme.com or just the domain name - acme.com.
4. Restart Firefox.

Mac:

Note: This needs to be done for each user on each machine.

For Safari:

It will just work, but you cannot use network data sources. You have to log in with a username and password or use a different browser.

For Firefox:

1. Type about:config in the address bar and press enter.
2. Find and edit the preference network.negotiate-auth.trusted-uris and add https://ahsoka.acme.com , or just .acme.com, [the list is comma-separated].

   Note: To add all subdomains use the format ".example.com" (NOT *.example.com)

3. To enable Network Data Sources support, you will need to also edit network.negotiate-auth.delegation-uris by adding ahsoka.acme.com or just the domain name - acme.com.

   Restart Firefox.

For Chrome:

1. Using the Ticket Viewer application (/System/Library/CoreServices/Ticket Viewer), you can check if you have a Kerberos ticket and create one if it hasn't been created automatically.

   Note: You also can create a ticket via the Terminal by entering kinit and then your password.

2. To configure Chrome's whitelist to allow authentication against any domains you will be using, open the Terminal and run the following commands:

   $ defaults write com.google.Chrome AuthServerWhitelist “*.acme.com”

   $ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist “*.acme.com”

3. Restart the Chrome browser.