Set up single sign-on in SEM

SEM supports Active Directory (AD) single sign-on (SSO). When enabled, SEM does not request a user name and password if the user is already logged in to AD. Instead, AD authenticates the user in the background, and automatically logs the user in to SEM with the appropriate user access rights. User access in the SEM consoles (desktop, web, and the SEM reports application), is based on AD group membership.

Set up Active Directory authentication in SEM

First configure Active Directory (AD) authentication and verify that users can log in to SEM with their AD credentials. For details, see Set up Active Directory authentication in SEM. After verifying that users can log in to SEM with their AD credentials, complete the next step.

Generate a keytab file using Ktpass

To configure SEM for Active Directory (AD) SSO, a Kerberos keytab file is required. SEM uses this file to authenticate users with AD and to enforce user account security. The keytab file is exported from AD and imported into SEM, and contains a table of AD user accounts, along with the encrypted hash of each user's password. Ktpass is the Windows Server command-line tool that generates the .keytab file, as well as the shared secret key that SEM uses to securely authenticate users with AD.

Before you run the ktpass command, gather the following information:

  • Fully-qualified domain name (FQDN) of the SEM VM – The FQDN is the complete domain name of the SEM virtual machine on the Internet. It includes the host name (the label assigned to a device on the network), and the name of the domain that hosts the device. For example, if the device name is swi-sem and the company domain is yourcompany.local, the FQDN is swi-sem.yourcompany.local.

  • Realm – This is the Active Directory Domain Services (AD DS) domain name. The realm name is used to route authentication requests to the AD server that holds user credentials. The realm name is case sensitive and normally appears in upper-case letters. To simplify your Kerberos client configuration, make the realm name identical to your DNS domain name by only using upper-case letters. For example, if YourCompany belongs to the DNS domain name yourcompany.com, the Kerberos realm should be YOURCOMPANY.COM.

  • Service principal name (SPN) – The SPN provides an alias (or pointer) to your domain account. The SPN consists of the FQDN, followed by the @ symbol, followed by the realm.

    For example, the SPN for a device named swi-sem located at http://www.yourcompany.com would be http/swi-sem.yourcompany.local@YOURCOMPANY.COM where swi-sem.yourcompany.local is the FQDN, and YOURCOMPANY.COM is the realm.

  1. Do the following to obtain the SEM host name and IP address:

    1. Open the SEM CMC command line. See Log in to the SEM CMC command line interface for steps.

    2. At the prompt, enter appliance to access the Appliance menu.

    3. At the prompt, enter viewnetconfig.
    4. When prompted, enter b to select the brief network configuration.
    5. Record the domain name, host name, and the host name's resolved IP address.
    6. Exit the management console.
  2. Create a new user (host) in DNS:
    1. Open DNS manager on your domain controller.
    2. Create an A record entry for SEM on the DNS server using the host name and IP address. Verify that DNS Manager populated the domain field with the correct domain membership.

  3. Open Active Directory Users and Computers.
  4. Create an organizational unit (OU) and name it Keytab.
  5. Select the Keytab OU and create a new user account (or Service Principle Name [SPN]).

    Write down the SPN. You will need it in a later step.

  6. Use the Kerberos keytab file using the ktpass command:

    1. Log in to the Active Directory server as an administrator.
    2. Open a command prompt as an administrator.
    3. Run the following ktpass command:

      ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password> 
      -mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto ALL -out c:\sem.keytab

      If you receive an error when you run the command, replace the -mapuser argument with -mapuser <user_name>.

      The ktpass command takes the following arguments:

      • -princ specifies the server principal name (SPN) in the form HTTP/<fqdn>@<REALM>. You will use this path in your SEM configuration.
      • -pass is the SPN account password.
      • -mapuser maps the Kerberos principle name (specified in the -princ argument) to the specified domain account.
      • -pType specifies the principal type as Kerberos 5 for Microsoft Windows.
      • -crypto specifies the encryption type. Entering ALL indicates all supported types. This can include Data Encryption Standard (DES), Rivest Cipher 4 (RC4), and Advanced Encryption Standard (AES) encryption types. See "ktpass" on the Microsoft TechNet website for more information about supported crypto types.
      • -out specifies the name and location for the generated Kerberos 5 keytab file.
  7. Navigate to the keytab file location (for example, c:\sem.keytab specified in the -out argument).
  8. To allow SEM access to Active Directory, import the keytab file into SEM.

Configure SSO settings in SEM using the Admin web console

You can use the command line to configure SSO settings in SEM. For details, see Configure SSO settings in SEM using the command-line.

  1. Open a web browser and connect to the SEM Admin user interface using the following URL:

    https://<sem_manager_IP_address>:8443/mvc/login

    If you have not yet activated SEM, or if you reopened port 8080, use the following URL:

    http://<sem_manager_IP_address>:8080/mvc/login

    You can also access the Admin user interface by entering admin at the cmc> prompt.

  2. Enter your name and password in the log in screen.

    The Settings/Authentication page opens.

  3. Click SSO Configuration.

  4. Complete the form:

    1. Enter the SPN in the Service Principle Name (SPN) field. See Generate a keytab file using Ktpass for details.

      For example: http/swi-sem.yourcompany.local@YOURCOMPANY.COM

    2. Click Browse, and then select the keytab file.

  5. Click Save.

    Your keytab file is uploaded to SEM. If you are logged in as a local user, SEM logs you out of the Admin user interface.

SSO is now configured on SEM.

Configure web browser settings for SSO

Follow the appropriate procedure to enable Kerberos authentication for SSO in your web browser.

Internet Explorer

By default, Internet Explorer does not restrict the transmission of login credentials for intranet sites. However, your company may have policies that have this restriction on intranet sites.

To add the SEM Manager URL to the list of trusted intranet sites:

  1. Open Internet Options.
  2. Under Security, set your local intranet sites to automatically detect an intranet network with no other options.
  3. In your Local intranet Advanced settings, add your FQDN or URL as a website in the Local Intranet zone.

    For example:

    swi-sem or https://swi-sem

  4. Save your settings and close Internet Options.

Mozilla Firefox

  1. Open Firefox, and then enter about:config in the address bar.
  2. In the Filter field, enter network.negotiate-auth.trusted-uris.
  3. In the list, double-click network.negotiate-auth.trusted-uris.
  4. Enter the fully-qualified domain name (FQDN) or URL that you use for SEM.

    For example: mysemappliance.example.com

    The web browser is now configured for SSO.

Google Chrome and Opera

Add the SEM Manager URL to the list of trusted intranet sites in Internet Explorer, and then install Chrome or Opera on your workstation. Chrome and Opera inherit their settings from Internet Explorer if they were installed after you entered the trusted intranet sites into Internet Explorer.

Configure SEM for either SSO-only authentication, or SSO and local authentication

Complete these steps to configure which credentials users can use to log in to SEM. You can allow users to log in with either local SEM credentials or SSO (LDAP) credentials, or you can restrict users to only SSO (LDAP) credentials.

  1. Log in to the SEM admin user interface. See Log in to the SEM admin user interface for steps.
  2. Click SSO Configuration.

    The SSO Configuration Management screen opens.

  3. To enable the service, click the toggle switch.

  4. Click the Enabled authentications list and choose from the following:

    • Credentials and SSO – Allows users to log in with either local SEM credentials or SSO (LDAP) credentials.
    • SSO only – Restricts users to log in with only SSO (LDAP) credentials.

  5. Click Save.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.

Configure SSO settings in SEM using the command-line

This option will be deprecated in versions 6.8 and later.

Use these alternate steps if you do not want to use the SEM admin user interface to upload the keytab file. (You do not have to repeat this process if you already uploaded the keytab file to SEM.)

  1. Log in to the CMC command-line interface. See Log in to the SEM CMC command line interface for steps.

  2. At the cmc> prompt, enter import.

  3. Follow the prompts on your screen to complete the import.

    The file is uploaded in the appliance file system.

  4. Return to the management console menu.
  5. At the cmc> prompt, enter admin to access the admin command-line interface.
  6. Enter your user name and password.

  7. Arrow down to LOGIN, and then press Enter.
  8. Arrow down to SSO configuration, and then press Enter.

  9. Arrow down to Add New Configuration, and then press Enter.

    The content on this screen may vary with your SEM implementation.

  10. Enter your SSO configuration settings.

    1. Enter the Service Principle Name (SPN). See Generate a keytab file using Ktpass for details.

      For example: http/swi-sem.yourcompany.local@YOURCOMPANY.COM

    2. Enter the path to your keytab file using the following syntax:

      /var/transfer/storage/<your_keytab_file_name>.keytab

  11. Arrow down to Save, and then press Enter.

    The upload is completed.

  12. Exit the management console.

    SSO is now configured on your appliance.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.