On the Domain

This is a one-time step that must be performed in order to register the Files Advanced Server with the Kerberos server on the domain. We will use 'setspn.exe' to specify which LDAP account will be queried for SSO authentication checks.

Note: If you want to use mobile clients with certificate authentication, the DNS entry for the Files Advanced Web Server must be different than the name of the computer. If the Files Advanced Web Server's SPN is just the name of the computer, the Gateway server will treat the Files Advanced Web Server as "on my machine", and will not attempt to perform Kerberos authentication.

for example, computerAccess.domain.com / computer.domain.com and computerAccess.domain.com / computerGW.domain.com will work

for example, computer.domain.com / computerGW.domain.com will NOT work

Configuring the LDAP account that will handle SSO

Note: If you want to use SMB or SharePoint Data Sources, you must configure the Active Directory account to permit Kerberos delegation to each of your SMB and SharePoint data sources. For more information, please visit the Advanced Delegation Configurations article.

  1. Open a command prompt.

    Note: You must be logged in with a domain account and have the rights to use setspn

  2. Enter the command setspn –s HTTP/computername.domain.com account name

    e.g. If your Files Advanced server is installed on ahsoka.acme.com and you want to use john@acme.com as the pre-authenticated LDAP account to grant Kerberos tickets, the command will look like this:

    setspn -s HTTP/ahsoka.acme.com john

    Note: The LDAP account name used in the command above MUST match the account which you will specify by the spnego.preauth.username property in web.xml.

    Note: This account will typically match the LDAP account specified by the administrator in the Files Advanced web interface at General Settings -> LDAP -> LDAP Username / LDAP Password, but this is not mandatory.

  3. If your Files Advanced server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number.

    e.g. If your server is running on port 444, the command will be:

    setspn -s HTTP/ahsoka.acme.com:444 john

    Note: The HTTP in the commands above refer to the HTTP service class, not the HTTP protocol. The HTTP service class handles both HTTP and HTTPS requests. You do not need to, and should NOT, create an SPN using HTTPS as a service class name.

  4. Go to the domain controller and open Active Directory Users and Computers.
  5. Find the user that you used in the above commands (in this case - john).
  6. Click on the Delegation tab and select Trust this user for delegation to any service (Kerberos only).
  7. Press OK.

Configuring the SPN for the Gateway Server

In order for the KDC ("Key Distribution Center") Kerberos server to be able to authenticate users to the gateway server, the gateway service must be registered with the KDC server by running setspn and specifying the hostname of the server on which it is running as the 'user' in the setspn command.

For any Gateway Servers that reside on a different machine from the Files Advanced Server

  1. Open the command prompt.
  2. Enter the following setspn command: setspn -s HTTP/computername.domain.com computername

    For example, if you gateway server is running on host 'cody' in the domain, run this command:

    setspn -s HTTP/cody.acme.com cody

  3. If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444:

    setspn -s HTTP/cody.acme.com:444 cody

  4. Repeat this section for all Gateway servers.

If there is a Gateway Server on the same machine as the Files Advanced Server

This is required only if you have a Gateway Server on the same machine as the Files Advanced Server. If you do not, skip this section. For this configuration to work, you will need to set an additional DNS entry for your Gateway server.

  1. On your DNS server, open the Forward Lookup Zones for your domain, right-click and create a new Host entry (A record) for the Gateway server.
  2. Enter a name. This will be the DNS address that will be used to reach the Gateway server.

    e.g. codygw.acme.com

  3. Enter the IP address of the Gateway Server (without the port). If you're running the Gateway and the Files Advanced Servers on the same IP address, enter that IP address.
  4. Select Create associated pointer (PTR) record and press Add Host.
  5. Go back to the machine with Files Advanced.
  6. Open the command prompt.
  7. Enter the following setspn command: setspn -s HTTP/gatewaydns.domain.com computername

    For example, if you gateway server is running on host 'cody' in the domain and your DNS entry is codygw.acme.com , run this command:

    setspn -s HTTP/codygw.acme.com cody

  8. If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444:

    setspn -s HTTP/codygw.acme.com:444 cody

  9. If you haven't done so already, you have to change your desired Gateway Server's address for administration to be the Gateway Server DNS entry you created in step 4.