For Load Balanced environments

The Gateway Server has the option to perform all HTTP authentication in user mode rather than have the web server attempt to do Kerberos/Negotiate authentication. This is required to get SSO working for the Gateway(s) running behind a load balancer.

To enable this feature, Open the web interface and go to Mobile Access -> Gateway Servers, click the Edit option in the cluster group, go to Advanced and enable the checkbox "Perform Negotiate/Kerberos authentication in user-mode"

Enabling Network Nodes

In order to be able to access Network nodes in the Web, while using SSO, several changes will be required. Since the Gateway Servers are running behind a load balancer, registering with Kerberos will need to happen with a user account, not computer name.

For this to work, the gateway services will need to run under a user account. You can either use the same LDAP user under which the Files Advanced server is registered, or you can select a new one, dedicated to your Gateway services.

Either way, the user you choose will need to be given the right to act as part of the operating system on the machines where the Gateway Servers are installed.

Selecting a user to act as part of the operating system

  1. On the machine with the Gateway server, click Start -> Run
  2. Type gpedit.msc and press OK
  3. Expand Windows Settings and expand Security Settings.
  4. Expand Local Policies and click on User Rights Assignment.
  5. Right-click on Act as part of the operating system in the list and select Properties.
  6. In this window, you can add users and groups or remove them. Enter the desired username and press OK.
  7. Close all remaining windows and restart the server for the change to take effect.

Running the Gateway Server's service as the selected user account

Once you have added the user you will be running the service as, you must set the Gateway service to run as them. To do so, complete the following steps:

  1. On the machine where the Gateway Server is installed, click Start and select Run.
  2. Type in services.msc and click OK. Alternatively, open the Control Panel and go to Administrative Tools -> Services.
  3. Right-click Files Advanced Gateway in the list and select Properties.
  4. Click on the Log On tab.
  5. Select the radio button for This account: and enter the credentials of the user you granted operating system rights to.
  6. Click OK and close all windows

Configuring the SPNs for the Gateway Cluster

In order for the Key Distribution Center Kerberos server to be able to authenticate users to the gateway cluster, each Gateway Server and the load balancer for the Gateways must be registered with the KDC server by running setspn and specifying the account name as which the service will be running as.

  1. Open the command prompt.
  2. Enter the following command:

    setspn -s HTTP/computername.domain.com username

    For example, if you gateway service is running as user john, the command will be:

    setspn -s HTTP/gatewayserver1.acme.com john

  3. If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444:

    setspn -s HTTP/gatewayserver1.acme.com:444 john

  4. Repeat these steps for each Gateway Server and for the load balancer. The SPN for the load balancer should look like this:

    setspn -s HTTP/gwloadbalancerdns.acme.com john