Documentation forSecurity Event Manager

Set up single sign-on in SEM

SEM supports Active Directory (AD) single sign-on (SSO). When enabled, SEM does not request a user name and password if the user is already logged in to AD. Instead, AD authenticates the user in the background, and automatically logs the user in to SEM with the appropriate user access rights. User access on the SEM Consoles (Web, and the SEM reports application), is based on AD group membership.

With SEM 2022.2 and later, the weak, deprecated 3DES and RC4 Kerberos encryption types have been disabled by default. These have been replaced with AES-based encryption.

After upgrading to SEM 2022.2, users who were using 3DES or RC4 encryption will be unable to log into SEM using the SSO login. In this case, Kerberos AES encryption needs to be enabled in the respective Active Directory:

  1. Locate the user account in Active Directory Users and Computers.
  2. Select Properties.
  3. Select the Account tab.
  4. In the section titled Account Options, ensure one or both of the following options are selected.

Enable Kerberos AES-based encryption

In SEM 2022.2, the weak, deprecated 3DES and RC4 Kerberos encryption types have been disabled by default. These have been replaced with AES-based encryption.

After upgrading to SEM 2022.2, users who were using 3DES or RC4 encryption will be unable to log into SEM using the SSO login.

There are two options to enable Kerberos AES encryption:

For the whole Active Directory:

  1. Open the Group Policy Management Console, locate the relevant domain and select Default Domain Policy
  2. Right-click Default Domain Policy and select Edit.
  3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
  4. Open Network security: Configure encryption types allowed for Kerberos:
    • Enable Define these policy settings.
    • Enable AES128_HMAC_SHA1.
    • Enable AES256_HMAC_SHA1.

For a single user in the Active Directory:

  1. Locate the user account in Active Directory Users and Computers.
  2. Select Properties.
  3. Select the Account tab.
  4. In the section titled Account Options, ensure the following options are selected.

Set up Active Directory authentication in SEM

First configure Active Directory (AD) authentication and verify that users can log in to SEM with their AD credentials. For details, see Set up Active Directory authentication in SEM. After verifying that users can log in to SEM with their AD credentials, complete the next step.

Generate a keytab file using Ktpass

To configure SEM for Active Directory (AD) SSO, a Kerberos keytab file is required. SEM uses this file to authenticate users with AD and to enforce user account security. The keytab file is exported from AD and imported into SEM, and contains a table of AD user accounts, along with the encrypted hash of each user's password. ktpass is the Windows Server command-line tool that generates the .keytab file, as well as the shared secret key that SEM uses to securely authenticate users with AD.

See the Microsoft Technical Documentation article, ktpass, for further information about the ktpass command and ktpass arguments.

Before you run the ktpass command, gather the following information:

  • Fully-qualified domain name (FQDN) of the SEM VM – The FQDN is the complete domain name of the SEM virtual machine on the Internet. It includes the host name (the label assigned to a device on the network), and the name of the domain that hosts the device. For example, if the device name is swi-sem and the company domain is yourcompany.local, the FQDN is swi-sem.yourcompany.local.

  • Realm – This is the Active Directory Domain Services (AD DS) domain name. The realm name is used to route authentication requests to the AD server that holds user credentials. The realm name is case sensitive and normally appears in upper-case letters. To simplify your Kerberos client configuration, make the realm name identical to your DNS domain name by only using upper-case letters. For example, if YourCompany belongs to the DNS domain name yourcompany.com, the Kerberos realm should be YOURCOMPANY.COM.

  • Service principal name (SPN) – The SPN provides an alias (or pointer) to your domain account. The SPN consists of the FQDN, followed by the @ symbol, followed by the realm.

    For example, the SPN for a device named swi-sem located at http://www.yourcompany.com would be http/swi-sem.yourcompany.local@YOURCOMPANY.COM where swi-sem.yourcompany.local is the FQDN, and YOURCOMPANY.COM is the realm.

  1. Do the following to obtain the SEM host name and IP address:

    1. Open the SEM CMC command line. See Log in to the SEM CMC command line interface for steps.

    2. At the prompt, enter appliance to access the Appliance menu.

    3. At the prompt, enter viewnetconfig.
    4. When prompted, enter b to select the brief network configuration.
    5. Record the domain name, host name, and the host name's resolved IP address.
    6. Exit the management console.
  2. Create a new user (host) in DNS:
    1. Open DNS manager on your domain controller.
    2. Create an A record entry for SEM on the DNS server using the host name and IP address. Verify that DNS Manager populated the domain field with the correct domain membership.

  3. Open Active Directory Users and Computers.
  4. Create an organizational unit (OU) and name it Keytab.
  5. Select the Keytab OU and create a new user account (or Service Principle Name [SPN]).

    Write down the SPN. You will need it in a later step.

  6. Use the Kerberos keytab file using the ktpass command:

    1. Log in to the Active Directory server as an administrator.
    2. Open a command prompt as an administrator.
    3. Run the following ktpass command:

      ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password> 
      -mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto ALL -out c:\sem.keytab

      If you receive an error when you run the command, replace the -mapuser argument with -mapuser <user_name>.

      The ktpass command takes the following arguments:

      • -princ specifies the server principal name (SPN) in the form HTTP/<fqdn>@<REALM>. You will use this path in your SEM configuration.
      • -pass is the SPN account password.
      • -mapuser maps the Kerberos principle name (specified in the -princ argument) to the specified domain account.
      • -pType specifies the principal type as Kerberos 5 for Microsoft Windows.
      • -crypto specifies the encryption type. Entering ALL indicates all supported types.
      • -out specifies the name and location for the generated Kerberos 5 keytab file.
  7. Navigate to the keytab file location (for example, c:\sem.keytab specified in the -out argument).
  8. To allow SEM access to Active Directory, import the keytab file into SEM.

Configure SSO settings

SEM 2021.2 and later simplifies and improves Single Sign-On (SSO) configuration, moving these to the Authentication section of Settings.

SEM uses HTTP/2 protocols and rejects HTTP/1 requests. However, if you use Single Sign-On, HTTP/1 has to be enabled as SSO uses Kerberos/NTLM authentication which does not support HTTP/2. If SSO is subsequently disabled, HTTP/1 is also disabled.

  1. To view the Authentication section, click and select Authentication.
  2. Select the SSO Configuration tab.

    Existing SSO Configurations are listed. These can be temporarily deactivated using the green toggle switches.

To add a new SSO login:

  1. Click Create Configuration to display the Create SSO Configuration window.

  2. Enter the Service Principle Name (SPN). For example: http/sem.yourcompany.local@YOURCOMPANY.COM
  3. Click Browse, and then select the keytab file.

    See Generate a keytab file using Ktpass for further information.

  4. Click Save.

    Your keytab file is uploaded to SEM. If you are logged in as a local user, SEM logs you out of the Admin user interface.

    This SSO is now configured on SEM.

Edit or delete a SSO

To edit or delete a SSO, click the vertical ellipsis icon after the SSO name and click Edit or Delete.

Configure browser settings for SSO

By default, most browsers do not restrict the transmission of login credentials for intranet sites. However, your company may have policies that have this restriction on intranet sites.

Google Chrome, Microsoft Edge, and Opera

  1. Click Search and enter Internet Options.

    The Internet Properties window is displayed.

  2. Click the Advanced tab and scroll down to the Security section.
  3. Check that Enable Integrated Windows Authentication is enabled. If not, check the box.
  4. Click the Security tab and select Local Intranet.
  5. Click Custom Level.
  6. Scroll down to the User Authentication section at the very end of the list of options.
  7. Check that Automatic logon only in Intranet zone is enabled. If not, check the box.
  8. Still on the Security tab, click Sites.
  9. Check that all boxes are checked, then click Advanced.
  10. Add your FQDN or URL as a website in the Local Intranet zone.

    For example:

    https://swi-sem.yourcompany.local

    The FQDN must be added to the list of trusted sites.

  11. Save your settings and close Internet Options.
  12. To test your settings, close all browser windows (clear cache, if needed), and then open the SEM FQDN to confirm it is working.

Mozilla Firefox

  1. Open Firefox, and then enter about:config in the address bar.
  2. In the Filter field, enter network.negotiate-auth.trusted-uris.
  3. In the list, double-click network.negotiate-auth.trusted-uris.
  4. Enter the fully-qualified domain name (FQDN) or URL that you use for SEM.

    For example: mysemappliance.example.com

    The web browser is now configured for SSO.

Configure SEM for either SSO-only authentication, or SSO and local authentication

Complete these steps to configure which credentials users can use to log in to SEM. You can allow users to log in with either local SEM credentials or SSO (LDAP) credentials, or you can restrict users to only SSO (LDAP) credentials.

  1. Select the Login Options tab.

  2. Use the toggle switches to select the login options to be used.
  3. Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.

Configure SSO settings in SEM using the command-line

This option is deprecated in versions 6.8 and later.

Use these alternate steps if you do not want to use the SEM admin user interface to upload the keytab file. (You do not have to repeat this process if you already uploaded the keytab file to SEM.)

  1. Log in to the CMC command-line interface. See Log in to the CMC command line interface for steps.

  2. At the cmc> prompt, enter import.

  3. Follow the prompts on your screen to complete the import.

    The file is uploaded in the appliance file system.

  4. Return to the management console menu.
  5. At the cmc> prompt, enter admin to access the admin command-line interface.
  6. Enter your user name and password.

  7. Arrow down to LOGIN, and then press Enter.
  8. Arrow down to SSO configuration, and then press Enter.

  9. Arrow down to Add New Configuration, and then press Enter.

    The content on this screen may vary with your SEM implementation.

  10. Enter your SSO configuration settings.

    1. Enter the Service Principle Name (SPN). See Generate a keytab file using Ktpass for details.

      For example: http/swi-sem.yourcompany.local@YOURCOMPANY.COM

    2. Enter the path to your keytab file using the following syntax:

      /var/transfer/storage/<your_keytab_file_name>.keytab

  11. Arrow down to Save, and then press Enter.

    The upload is completed.

  12. Exit the management console.

    SSO is now configured on your appliance.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.