Secure Global Desktop Administration Guide > Users and authentication > Enabling the Active Directory login authority

Enabling the Active Directory login authority

The Active Directory login authority works by authenticating users against a Key Distribution Center (KDC) for a domain and then generating users' webtops using LDAP searches of an Active Directory server. To enable the Active Directory login authority, you need to:

• configure the Kerberos authentication; and
• configure the LDAP search and default domain details.

Once the Active Directory login authority is enabled, users can log in to Secure Global Desktop using their user principal name. They then receive the webtop that has been configured for them using:

• LDAP user login profile objects; and
• Directory Services Integration.

Configuring Kerberos authentication

To configure Kerberos authentication, follow this process for each Secure Global Desktop server in the array:

1. Ensure the time on the Secure Global Desktop server is synchronized with the KDC servers in the domains.
2. Stop the Secure Global Desktop server, tarantella stop.
3. Create or edit the Kerberos configuration file.
4. Start the Secure Global Desktop server, tarantella start.

Synchronizing time

The synchronized time between the KDC and the Secure Global Desktop server must be within the Maximum tolerance for computer clock synchronization defined for the Kerberos security policy and the Default domain security policy on the Windows 2000/2003 server.

Kerberos configuration file

The Kerberos configuration file (krb5.conf) specifies which KDC servers Secure Global Desktop authenticates against for a particular domain.

You can either:

• edit your system default configuration file, usually found in either the /etc directory (on Linux) or the /etc/krb5 directory (on Solaris); or
• create a configuration file for use only with Secure Global Desktop. Put the file in the /opt/tarantella/bin/jre/lib/security directory.

The configuration file contains several sections which control Kerberos authentication. As a minimum, the file must contain the following sections:

• [libdefaults] this sets defaults for Kerberos authentication. You must set the default_realm and default_checksum.
• [realms] this sets the KDCs for each Kerberos realm. A realm can have more than one KDC. The entry for each KDC has the form hostname:port. The port can omitted if port 88 (the default) is being used.
• [domain_realm] this maps Active Directory domains to Kerberos realms.

For example:

[libdefaults]
default_realm = INDIGO-INSURANCE.COM
default_checksum = rsa-md5

[realms]
INDIGO-INSURANCE.COM = {
  kdc = melbourne.indigo-insurance.com
  }
EAST.INDIGO-INSURANCE.COM = {
  kdc = ad01.east.indigo-insurance.com
  kdc = ad02.east.indigo-insurance.com
  }
WEST.INDIGO-INSURANCE.COM = {
  kdc = ad01.west.indigo-insurance.com
  }
  
[domain_realm]
  indigo-insurance.com = INDIGO-INSURANCE.COM
  .east.indigo-insurance.com = EAST.INDIGO-INSURANCE.COM
  east.indigo-insurance.com = EAST.INDIGO-INSURANCE.COM
  .west.indigo-insurance.com = WEST.INDIGO-INSURANCE.COM
  west.indigo-insurance.com = WEST.INDIGO-INSURANCE.COM

Password expiry

Secure Global Desktop can be configured to prompt a user for a new password if their password has expired. To be able to do this:

• the libkrb5.so library must be installed on the Secure Global Desktop host; and
• the Kerberos configuration file must be configured with the details of the server that handles the password change.

The libkrb5.so library is usually available on Linux systems. On Solaris, you may have to install it.

On each member of the array, edit the Kerberos configuration file and for each realm add:

• a kpasswd_server = hostname:port and/or an admin_server = hostname:port line.
  
  This identifies the Kerberos administration server that will handle the password change. If kpasswd_server is omitted, the admin_server is used instead. The port can omitted if port 464 (the default) is being used.
• a kpasswd_protocol = protocol line.
  
  This sets the protocol to be used when communicating with the admin_server or kpasswd_server. For Active Directory, this must be SET_CHANGE.

For example:

EAST.INDIGO-INSURANCE.COM = {
  kdc = ad01.east.indigo-insurance.com
  kdc = ad02.east.indigo-insurance.com
  admin_server = ad01.east.indigo-insurance.com
  kpasswd_protocol = SET_CHANGE
  }

TCP/UDP preference configuration

When sending messages to the KDC or the Kerberos administration server, Secure Global Desktop uses either the UDP or TCP protocols. The protocol used is determined by the udp_preference_limit line in the [libdefaults] section of the Kerberos configuration file. This line sets the maximum size (in bytes) for packets that can be sent using UDP. If the message is larger than this size, TCP is used. If the KDC or administration server indicates that the package is too big, TCP is used instead. To always use TCP, use udp_preference_limit = 1.

KDC timeout

You can configure a KDC timeout in the event of a failure in the authentication process. The KDC timeout controls how long Secure Global Desktop waits for a reply from a KDC and how many times it tries to contact each KDC.

To set the KDC timeout, add the following lines to the [libdefaults] section of the Kerberos configuration file:

kdc_timeout = time
max_retries = number

The kdc_timeout sets the maximum number milliseconds to wait for a reply from a KDC. The max_retries is the maximum number of times each KDC is tried. The KDCs for each realm are tried in the order they are listed in the [realms] section of the Kerberos configuration file.

If Secure Global Desktop can't contact any KDCs for the user's realm, the authentication phase will fail.

Configuring the LDAP search and default domain details

1. In Array Manager, open Secure Global Desktop Login properties.
2. Check the Active Directory login authority box.
3. In the URL field, enter the name of an Active Directory domain, for example ad://east.indigo-insurance.com.
   • The URL must start with ad://.
   • Secure Global Desktop uses the domain name to perform a DNS lookup to obtain a list of Global Catalog servers. The Global Catalog is used to determine which Active Directory servers Secure Global Desktop can search to determine the user's login profile.
4. In the Username and Password fields, enter the details of a user that has privileges to search Active Directory.
   • The username must be the user principal name, for example tarantella-ldap@indigo-insurance.com.
   • You might want to create a special user reserved for the Active Directory login authority.
5. In the Base Domain and Default Domain fields, enter the domains you want Secure Global Desktop to use when users enter incomplete domain information when they log in.
   • The base domain is used when users only supply a partial domain when they log in. For example, if the root domain is set to "indigo-insurance.com" and a user logs in with the username "rouge@west", the Active Directory login authority tries to authenticate "rouge@west.indigo-insurance.com".
   • The default domain is used when users do not supply a domain when they log in. For example, if the default domain is set to "east.indigo-insurance.com" and a user logs in with the username "rouge", the Active Directory login authority tries to authenticate "rouge@east.indigo-insurance.com".
6. Click Apply.

LDAP timeouts

You can configure two LDAP timeouts in the event that the LDAP searches of an Active Directory server fail.

The LDAP discovery timeout controls how long Secure Global Desktop waits for an Active Directory server to respond to the initial contact request. The default is 30 seconds. To change this timeout, run the following command:

tarantella config edit --tarantella-config-ldap-discovery-timeout secs

The LDAP timeout controls how long Secure Global Desktop waits for an Active Directory server to respond to LDAP operations, such as requests for data. The default is 30 seconds. To change this timeout, run the following command:

tarantella config edit --tarantella-config-ldap-timeout secs

With both timeouts, Secure Global Desktop makes two attempts to contact the Active Directory server. If there is no response, Secure Global Desktop tries another Active Directory server. The list of Active Directory servers for a domain is obtained from the Global Catalog. If all Active Directory servers time out, webtop content can't be generated.

LDAP cache

Secure Global Desktop caches the LDAP data it collects from Active Directory. If you find that Secure Global Desktop is not detecting changes, you can manually flush the cached data with the tarantella cache command.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.