Adding more Gateway Servers

Note: These steps work only if the machines that will host the Gateway Servers are in the same domain as the Files Advanced Web Server.

In order for the KDC ("Key Distribution Center") Kerberos server to be able to authenticate users to the gateway server, the gateway service must be registered with the KDC server by running setspn and specifying the hostname of the server on which it is running as the 'user' in the setspn command.

For any Gateway Servers that reside on a different machine from the Files Advanced Web Server

  1. Open the command prompt.
  2. Enter the following setspn command: setspn -s HTTP/computername.domain.com computername

    For example, if you gateway server is running on host 'cody' in the domain, run this command:

    setspn -s HTTP/cody.acme.com cody

  3. If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444:

    setspn -s HTTP/cody.acme.com:444 cody

  4. Repeat this section for all additional Gateway servers.
Configuring a Gateway Server in another domain

If you do not have access to Resource Based Kerberos Constrained Delegation, another way to configure SSO to remote shares and resources located in another domain is by installing a Gateway Server on a machine in that domain. This allows you to use regular Kerberos Constrained Delegation and works on domains in functional level 2008.

Install a Gateway Server on a machine in the desired domain

  1. Download the Files Advanced installer and move it to the machine.
  2. Start the Files Advanced installer, accept the license agreement and press Next.
  3. Select Custom... installation and select only the Gateway Server's checkbox.
  4. Press Install. After the installation finishes, close the installer.
  5. In the Configuration Utility, set the IP address of the gateway and the port.

Make the Gateway service run as a User Account

  1. Open Control Panel -> Administrative Tools -> Services.
  2. Find the Files Advanced Gateway Server service, right-click on it and select Properties.
  3. Select the Log On tab and select the This account radio button.
  4. Select the User that the service will run as either by pressing Browse and searching or just by entering the username and password of the user. The user must be from the domain where Files Advanced is installed. We recommend using a dedicated account and no the one used for the Files Advanced Server's SPNs.
  5. Press OK and can close the Services control panel. Do not restart the service yet, as without the necessary permissions for the user account, the service will not start.

Grant the selected User the necessary rights

  1. In order for the service to run as a user, that user must be granted Act as part of the operating system and must be a part of the Local Administrators group.
  2. Open the Local Security Policy and navigate to Local Policies -> User Rights Assignment. You may have to make this change in the Group Policy Manager depending on your deployment.
  3. Open the Act as part of the operating system object and press Add User or Group.
  4. Select the dedicated user for the Gateway service.
  5. Close all open dialogs and open Control Panel -> User Accounts -> Manage Accounts.
  6. Press Add and enter the domain and username of the dedicated account.
  7. You can now restart the Files Advanced Gateway service in the Services control panel.

Configure the SPN for the remote Gateway Server

  1. Go to any machine in the domain where the Files Advanced Server resides.
  2. Open the command prompt.
  3. To configure the SPN, the command is: setspn –s HTTP/gatewaydns.domain.com useraccountfor_gw

    e.g. If your gateway server is running on host 'magpie' in the tree.com domain and is running as the peter user account from the acme.com domain, run this command:

    setspn –s HTTP/magpie.tree.com peter

    If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444:
    setspn -s HTTP/magpie.tree.com:444 peter

  4. If you haven't done so already, you have to change your desired Gateway Server's address for administration to be the Gateway Server DNS entry you created (i.e. magpie.tree.com).
  5. Make sure that the Gateway Server has Perform Negotiate/Kerberos authentication in user-mode enabled. You have to restart the Files Advanced Gateway service after you enable this setting.
  6. When creating data sources for the resources in the second domain, make sure to use the Gateway Server that resides in that domain.

    e.g. If you want to grant your users access to the files on repository.tree.com, you will have to pick the gateway server that is located in tree.com (e.g. magpie.tree.com)

Verify that the SPNs were set correctly for the Gateway

  1. If you have a local volume for the local Gateway, you can verify that the SPNs and delegation are working by logging in with SSO.
  2. Browse the local Gateway Server's volume. If it doesn't work please verify you have successfully configured the proper SPNs for the proper objects.
  3. Delegation changes might take some time to propagate (e.g. 10-15 minutes for small LDAP deployments and more for larger ones).