On the Files Advanced server

Setting the domain account that will be used for Single Sign-on authentication

1. Navigate to C:\Program Files (x86)\Acronis\Files Advanced\Access Server\Web Application\WEB-INF\
2. Find and open the file web.xml. In this file you will set the domain username and password that the SSO service will run under. This account must match the account that you used to register the HTTP service with Kerberos in the On the Domain section.
3. In web.xml there are two properties that need to be set - the domain username and password that the SSO service will use. Find the following lines:

       <init-param>

           <param-name>spnego.preauth.username</param-name>

           <param-value>yourusername</param-value>

       </init-param>

       <init-param>

           <param-name>spnego.preauth.password</param-name>

           <param-value>yourpassword</param-value>

       </init-param>

4. Replace yourusername with the desired LDAP username.
5. Replace yourpassword with the LDAP password for the LDAP account specified above. If you have one of these five special characters in your password: &, >, ", ' , or <, you will have to properly escape them in the XML document. To do so, you will have to replace them with the following:
   • < with &lt;
   • > with &gt;
   • " with &quot;
   • ' with &apos;
   • & with &amp;

   e.g. if your password is <my&best'password" you will have to write it in the web.xml file as follows: &lt;my&amp;best&apos;password&quot;

Setting the Kerberos domain lookup

1. Navigate to C:\Program Files (x86)\Acronis\Files Advanced\Common\apache-tomcat-7.0.59\conf
2. Find and open the file krb5.conf  
3. In krb5.conf there are only two properties that are needed from the administrator:
   1. The domain for single sign-on (e.g., ACME.COM). Please note that this is the name of your domain, not the DNS name of the server.

      Note: The domain in krb5.conf must always be in UPPERCASE or Kerberos ticket lookups may fail.

   2. The Kerberos Key Distribution Center's address (typically matches the address of your primary domain controller; e.g., acmedc.ACME.COM)
4. The krb5.conf file that we install looks like this:

       [libdefaults]

           default_realm = ACME.COM

           default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

           default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

           permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

       [realms]

           ACME.COM = {

               kdc = acmedc.ACME.COM

               default_domain = ACME.COM

       [domain_realm]

           .ACME.COM = ACME.COM

5. Replace all instances of ACME.COM with your domain (in uppercase!). Please note that this is the name of your domain, not the DNS name of the server.
6. Replace the value for "kdc =" with the name of your domain controller. The domain must be written in uppercase. e.g. kdc = yourdc.YOURDOMAIN.COM
7. After the above configuration files are updated the Files Advanced server (the Files Advanced Tomcat service) must be restarted in order for the changes to take effect.

Enabling Single sign-on in the web interface:

1. Open the Files Advanced web interface and log in as an administrator.
2. Expand the General Settings tab and open the LDAP page.
3. At the bottom of the page, enable the checkbox Allow log in from the web client and desktop sync client using existing Windows/Mac login credentials.
4. Press Save.