Setting the Kerberos domain lookup

1. Navigate to C:\Program Files (x86)\Acronis\Files Advanced\Common\apache-tomcat-7.0.59\conf
2. Find and open the file krb5.conf  
3. In krb5.conf there are only two properties that are needed from the administrator:
   1. The domain for single sign-on (e.g., ACME.COM).
      • This must be the domain where your Files AdvancedWeb Server and Gateway servers reside.
      • Please note that this is the name of your domain, not the DNS name of the server.

      Note: The domain in krb5.conf must always be in UPPERCASE or Kerberos ticket lookups may fail.

   2. The Kerberos Key Distribution Center's address (typically matches the DNS address of your primary domain controller; e.g., acmedc.ACME.COM). This is the address of the domain controller in the domain where Files Advanced and its components reside.
4. The krb5.conf file that we install looks like this:

       [libdefaults]

           default_realm = ACME.COM

           default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

           default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

           permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

       [realms]

           ACME.COM = {

               kdc = acmedc.ACME.COM

               default_domain = ACME.COM

       [domain_realm]

           .ACME.COM = ACME.COM

5. Replace all instances of ACME.COM with your domain (in uppercase!). Please note that this is the name of your domain, not the DNS name of the server.
6. Replace the value for "kdc =" with the DNS name of your domain controller. The domain portion must be written in uppercase. e.g. kdc = yourdc.YOURDOMAIN.COM
7. After the above configuration files are updated the Files Advanced Server (the Files Advanced Tomcat service) must be restarted in order for the changes to take effect.

Enabling Single sign-on in the web interface

1. Open the Files Advanced web interface and log in as an administrator.
2. Expand the General Settings tab and open the LDAP page.
3. At the bottom of the page, enable the checkbox Allow log in from the web client and desktop sync client using existing Windows/Mac login credentials.
4. Press Save.

Configuring the LDAP account that will handle SSO

Configure an additional DNS entry for your Files Advanced Web server

If you have a Gateway server on this machine, you must have a separate DNS entry for your Files Advanced Web Server.

1. On your DNS server, open the Forward Lookup Zones for your domain, right-click and create a new Host entry (A record) for the Files Advanced Web Server.
2. Enter a name. This will be the DNS address that will be used to reach the Files Advanced Web server.

   e.g. ahsokaccess.acme.com

3. Enter the IP address of the Files Advanced Web Server (without the port). If you're running the Gateway and the Files Advanced Web Servers on the same IP address, enter that IP address.
4. Select Create associated pointer (PTR) record and press Add Host.

Setting the SPN for the Files Advanced Web Server

1. On the machine where Files Advanced is running, open a command prompt.

   Note: You must be logged in with a domain account and have the rights to use setspn

2. Enter the command setspn –s HTTP/access_DNS_name.domain.com account name

   Note: The LDAP account name used in this command MUST match the account which you have specified in the web.xml file.

   • fore example, if your Files Advanced Web server is installed on ahsoka.acme.com and you want to use john@acme.com as the pre-authenticated LDAP account to grant Kerberos tickets, the command will look like this:
     setspn -s HTTP/ahsokaaccess.acme.com john
   • for example, if your Files Advanced Web Server is installed on ahsoka.acme.com and you want to use jane@tree.com as the pre-authenticated LDAP account to grant Kerberos tickets, the command will look like this:
     setspn -s HTTP/ahsokaaccess.acme.com tree\jane

     Note:This account will typically match the LDAP account specified by the administrator in the Files Advanced web interface in the LDAP settings, but this is not mandatory.

3. If your Files Advanced Web server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number.

   e.g. If your server is running on port 444, the command will be:
   setspn -s HTTP/ahsokaaccess.acme.com:444 john OR
   setspn -s HTTP/ahsokaaccess.acme.com:444 tree\jane

   Note: The HTTP in the commands above refer to the HTTP service class, not the HTTP protocol. The HTTP service class handles both HTTP and HTTPS requests. You do not need to, and should NOT, create an SPN using HTTPS as a service class name.

4. Go to the domain controller where your users reside and open Active Directory Users and Computers. If you have multiple domains with users, open the one which contains the user used in the previous steps.
5. Find the user that you used in the above commands (in this case - john or jane).
6. Click on the Delegation tab and select Trust this user for delegation to any service (Kerberos only). Enabling this setting allows the LDAP object to delegate authentication to any service. In our case that is the Gateway Server service.
7. Press OK.

Verify you can log into Files Advanced

1. Go to a machine other than your Domain Controller or your Files Advanced Web Server.
2. Open your Files Advanced web console and use the link under the password field on the login page.

   Note: You need to be logged into the machine with a domain user that was either invited to Files Advanced , has already logged in or is a member of a Provisioned LDAP group.

   Note: You must complete the On any user's machine section in order for your browser to accept SSO requests.