You are not logged in. Click here to log in.

codebeamer Application Lifecycle Management (ALM)
Login
 Projects
 Wiki
Last ModifiedRecently Visited Items
Search In Project
Search inClear
anonymous
[WIKIPAGE-765941] Configuring Kerberos SSO authentication on Windows server
Tags:  not added yet
Kerberos SSO integration is no longer supported. You can use OpenID Connect (OAuth2) or SAML as alternative authentication methods.

Table of Contents

Hosts

  • Windows Domain Controller (Active Directory, AD/LDAP server): winssoad.winssodom.local
  • codeBeamer server (and Apache server) - joined to AD: win7000.winssodom.local
  • Windows client - joined to AD: host name not relevant

Install Apache 2.2

Download and install You must login to see this link. Register now, if you have no user account yet. with typical settings on the machine hosting codeBeamer server. (Default installation folder C:\Program Files (x86)\Apache Software Foundation\Apache2.2)

Note: "The Kerberos module is created for specifically this installer."

Install Kerberos module for Apache

Download You must login to see this link. Register now, if you have no user account yet. and copy to folder C:\Program Files (x86)\Apache Software Foundation\Apache2.2\modules on the machine hosting codeBeamer server.

Instal MIT Kerberos

Download and install You must login to see this link. Register now, if you have no user account yet. with typical settings on the machine hosting codeBeamer server.

Create and install a Kerberos token (keytab)

  • Create an account on AD server: cbssokerb
  • Create a keytab on AD server: open up a command prompt window and run the following command: ktpass -princ HTTP/win7000.winssodom.local@winssodom.local -mapuser cbssokerb -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out c:\cbssokerb.keytab
  • Enter password for account cbssokerb
  • Copy the generated keytab file to Apache config folder: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab

Configure MIT Kerberos

  • Edit the file C:\ProgramData\MIT\Kerberos5\krb.ini and add the following text: [libdefaults] debug=true default_realm = WINSSODOM.LOCAL dns_lookup_kdc = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] WINSSODOM.LOCAL = { kdc = WINSSOAD.winssodom.local admin_server = WINSSOAD.winssodom.local default_domain = winssodom.local } [domain_realm] .winssodom.local = WINSSODOM.LOCAL [login] krb4_convert = true krb4_get_tickets = false

Configure Apache

Edit the file C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\httpd.conig and...

  • Enable the following standard modules (either copy/paste the following block, or uncomment them in their original locations, but ensure not loading them twice): #LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so #LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so #LoadModule authz_default_module modules/mod_authz_default.so #LoadModule headers_module modules/mod_headers.so #LoadModule rewrite_module modules/mod_rewrite.so
  • Load the non-standard (currently installed) Kerberos module: LoadModule auth_kerb_module modules/mod_auth_kerb.so
  • Configure virtual host(s): <VirtualHost *:80> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests On ProxyPreserveHost On ProxyPass /cb http://localhost:8080/cb ProxyPassReverse /cb http://localhost:8080/cb ServerName win7000.winssodom.local <Location /cb> Order allow,deny Allow from all AuthType Kerberos KrbServiceName HTTP AuthName "Domain login" KrbAuthRealms WINSSODOM.LOCAL Krb5KeyTab "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab" require valid-user KrbLocalUserMapping On KrbMethodNegotiate On KrbMethodK5Passwd Off # Below directives puts logon name of authenticated user into http header X-User-Global-ID RequestHeader unset X-User-Global-ID RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule /cb.* - [E=RU:%1,L,NS] RequestHeader set X-User-Global-ID %{RU}e # Remove domain suffix to get the simple logon name RequestHeader edit X-User-Global-ID "@WINSSODOM.LOCAL$" "" </Location> </VirtualHost>

Restart Apache server

Go to Windows Service Manager and restart Apache2.2 service

Other Tasks

The following steps are similar as described in
  • Configure codeBeamer to use AD
  • Enabling SSO in codeBeamer System Administration
  • Enabling Kerberos Authentication in Client
  • Open codeBeamer with Kerberos SSO

SSL

To serve codebeamer over https, certificate generation is required for apache. This can be done with the bundled openssl with apache:

Enter the openssl.exe in the cli with the command: "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe"

Generate the certificate which is valid for a year:

req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt -config "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\openssl.cnf"

provide organisation info if needed.

  • Almost the same config as for HTTP but with additional certificate information, first 5 lines
    Listen 443
<VirtualHost *:443>
    ServerName ap.winssodom.local
    SSLEngine on
    SSLCertificateFile c:\certificate.crt
    SSLCertificateKeyFile c:\privatekey.key

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyRequests On
    ProxyPreserveHost On
    ProxyPass /cb http://localhost:8080/cb
    ProxyPassReverse /cb http://localhost:8080/cb
    ServerName ap.winssodom.local
	<Location /cb>
                Order allow,deny
                Allow from all
                AuthType Kerberos
                KrbServiceName HTTP
                AuthName "Domain login"
                KrbAuthRealms WINSSODOM.LOCAL
                Krb5KeyTab "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab"
                require valid-user
                KrbLocalUserMapping On
                KrbMethodNegotiate  On
                KrbMethodK5Passwd   Off

                # Below directives puts logon name of authenticated user into http header X-User-Global-ID
                RequestHeader unset X-User-Global-ID
                RewriteEngine On
                RewriteCond   %{LA-U:REMOTE_USER} (.+)
                RewriteRule   /cb.* - [E=RU:%1,L,NS]
                RequestHeader set X-User-Global-ID %{RU}e

                # Remove domain suffix to get the simple logon name
                RequestHeader edit X-User-Global-ID "@WINSSODOM.LOCAL$" ""

	</Location>
</VirtualHost>
Fast Links

codebeamer Overview
What is new?
How-to videos

codebeamer Knowledge Base
User's Guide (user manual)
Administrator's Guide
Installation Guide
Developer's Guide
Localization Guide

Services by Intland Software
Product Support
Consulting
Training

Integrations