Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Database Performance Analyzer (DPA) > Configure DPA for Single Sign-On (SSO)

Configure DPA for Single Sign-On (SSO)

Overview

This article provides information and steps to set up DPA with a Single Sign-On (SSO). When users log in to DPA, they do not need to re-enter their domain credentials to their operating system. 

Environment

All DPA versions

Pre-requisite

Set up DPA for use with Active Directory. For instructions on how to do this, see this article.

Steps

 

Note: Enable single sign-on - The values in these steps are case-sensitive, and note whether slashes are back or forward slash.

 

Set up a Kerberos configuration file:
A Kerberos configuration file is required on the DPA server. First, check if this file exists. The following are standard locations and filenames:

  • Solaris: /etc/krb5/krb5.conf
  • Windows: C:\Windows\krb5.ini
  • Linux: /etc/krb5.conf

 

If you do not have a Kerberos configuration file on the DPA server, you must create one. Below is an example that you can use as a template. If you use the template, change the values surrounded by braces, such as ({REALM NAME}, {servername.domain.com}, and {domain.com}).

 

To determine the Realm Name, run the following command on your Active Directory server:

ksetup

 

Note: The Realm Name must be specified in uppercase. A typical value for REALM.NAME is your company's domain, such as YOURCOMPANY.COM.

 

 

# Set defaults
[libdefaults]
    default_realm = {REALM NAME}
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

# Define where to find the kerberos server for a particular realm
[realms]
{REALM NAME} = {
    kdc = {ActiveDirectoryServerName.domain.com}
    default_domain = {domain.com}
}

# Map subdomains and domain names to Kerberos realm names.
# Individual host names may be specified. Domain suffixes may be
# specified with a leading period and will apply to all host
# names ending in that suffix.
[domain_realm]
    {domain.com} = {REALM NAME}
    {.domain.com} = {REALM NAME}

[logging]
#    kdc = CONSOLE
#    kdc = SYSLOG:INFO
#    admin_server = FILE:=/var/kadm5.log

 

Create a Service Principal Name (SPN):

Ask your Active Directory administrator to create a service principal name (SPN) account in Active Directory. An SPN account is similar to a regular domain user account, but the password should be set to Never Expire, and the user is not required to change the password on the next login.

 

If you have multiple DPA servers that you want to configure to use Active Directory with single sign-on, you can use the same Active Directory user account and assign multiple SPNs to each DPA server.

 

Register the Service Principal Name (SPN)

You must register the SPN account that you created in the previous step for all the possible names for the DPA server, such as hostname, hostname.domain.com, so on.

 

On your Active Directory server, open a command prompt, and run the following commands:

## check the character used for the SPN "add option" (e.g. -S or -A)
setspn -?

## register the SPN for all possible names for the DPA server (your list may include more names)
setspn -{add option} HTTP/{DPA Server Name} {SPN Account}
setspn -{add option} HTTP/{DPA Server Name}.{Fully Qualified Domain Name} {SPN Account}

 

To verify that you entered the correct parameters, run the following command:

 

setspn -L {SPN Account}

 

The expected output is:

 

HTTP/{DPA Server Name}
HTTP/{Ignite Server Name}.{Fully Qualified Domain Name}

 

For more information, see http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx

 

Build the ignite.keytab file

Generate the keytab file that the DPA server will use to authenticate itself to the domain controller. This file contains the private key for the service provider account and should be protected accordingly. To generate the file, run the following command from your Active Directory server, all on a single line:

ktpass /out .\ignite.keytab /mapuser {SPN Account}@{Fully Qualified Domain Name} /princ HTTP/{DPA Server Name}.{Fully Qualified Domain Name}@{REALM NAME} /pass {SPN Account Password} /ptype KRB5_NT_PRINCIPAL /crypto {encryption type}

 

Note: The value for the /princ parameter is case-sensitive.

 

{encryption type} can be one of the following:

  • Windows Server 2003: RC4-HMAC-NT
  • Windows Server 2008: ALL, RC4-HMAC-NT, or AES128-SHA1
 
If you use AES128-SHA1 encryption, be sure that the user account's "This account supports AES 128 bit encryption" is selected.
By default, the files bundled in the Java JRE enforce a restriction that limits the maximum key length to 128 bits. In order to use AES256 encryption, you must install the JCE Unlimited Strength Jurisdiction Policy Files.

 

Move the keytab file to the DPA server. Do not put the file in a directory inside of the DPA installation directory structure, so it will not require changing paths if you move the DPA installation directory. If your server already has a keytab file, you may want to merge the ignite.keytab file with the existing one. For UNIX, keytab files are typically stored in /etc/krb5.keytab.

 

For more information, see http://technet.microsoft.com/en-us/library/cc753771%28v=ws.10%29.aspx

 

The system.properties file

On the DPA server, open the system.properties file in the following location:

{DPA Install Dir}\iwc\tomcat\ignite_config\idc\system.properties   (for Windows)  
or
{DPA Install Dir}/iwc/tomcat/ignite_config/idc/system.properties   (for UNIX or Linux)

 

Add the following single sign-on properties, and replace entries in angled brackets with the appropriate values:

#################################
# Single sign-on
#################################
## Enable/Disable single sign-on
com.confio.security.ldap.isSsoEnabled=true
 
## Location of the Kerberos config file(need to specify file location).
com.confio.ws.ldap.sso.krbConfLocation={Kerberos Config File Path}/{Kerberos Config File Name}
 
## The DPA application "service principal"
## Make sure servicePrincipal value matches what was used in the key table for the /princ value
com.confio.ws.ldap.sso.servicePrincipal=HTTP/{DPA Server Name}.{Fully Qualified Domain Name}@{REALM NAME}
 
## Location of the Kerberos key table (need to specify file location).
com.confio.ws.ldap.sso.keyTablLocation={Keytab File Path}/ignite.keytab

 

Note: Use / as your path separator, instead of \.

 

Restart DPA

On the DPA server, do the following:

  • Windows: Restart the Windows Ignite PI Server service.
  • UNIX or Linux: Stop DPA using the shutdown.sh script, and then start DPA using the startup.sh script.

Test single sign-on

Note: SSO will not work from a browser running on the DPA server.

 

On your client machine, do the following:

  1. In a browser, enter the DPA URL: http://{DPA Server or IP}:8123
  2. If the configuration changes were done properly, the DPA login page should show a check box enabling single sign-on. Select this check box, and click Login. 
    • If you get a Request failed. Try again message, your browser may need to be configured to permit the transmission of your login credentials. See the section below on browser configuration for SSO.
  3. To see the user that DPA used, which should be your domain user, hover your mouse over the Logoff link in the upper-right corner of the DPA interface.

 

Browser configuration for SSO

Firefox

  1. Open Firefox and enter about:config in the address bar.
  2. Enter network.negotiate-auth.trusted-uris in the Filter field.
  3. Double-click the entry in the list.
  4. Enter the URL formats that you use for DPA.  If you use multiple formats, specify each in a comma-separated list.  For example:

http://{DPA server}:8123,http://{DPA server IP address}:8123

 

Chrome

  1. Load the Chrome Settings.
  2. Click Show advanced settings at the bottom of the page.
  3. Under Network, click Change proxy settings.
  4. Click the Security tab, click Local intranet, and then click Sites.
  5. Click Advanced, and enter the DPA URL in the Add this website to the zone field.
  6. Click Add.
  7. Click Close, OK, and then OK.
  8. Log in to DPA using single sign-on.

 

Internet Explorer

By default, Internet Explorer does not restrict the transmission of login credentials for intranet sites. Intranet sites are URLs that do not contain a period in the name. However, your company may have policies that have this restriction on intranet sites.

 

To add the DPA URL to the list of trusted intranet sites:

  1. Open Internet Explorer, and enter the DPA URL in the address bar.
  2. Click Tools > Internet Options.
  3. Click the Security tab, click Local intranet, and then click Sites.
  4. Click Advanced. The DPA URL should be in the Add this website field.  If not, enter it.
  5. Click Add.
  6. Click Close, OK, and then OK.
  7. Log in to DPA using single sign-on.

 

SSO with Linux

If you are running DPA on a UNIX or Linux server, single sign-on only works with a Sun/Oracle JRE.

 

Troubleshooting

If you see the message Request failed. Try again when using single sign-on, it could be one of two problems.

  • You have not configured your browser correctly. See the Browser Configuration for SSO section for more information.
  • In Active Directory environments with a large number of group memberships, Active Directory may return an authorization token that is larger than the default max http header size for Tomcat. This results in the server returning a "400 Bad Request" and DPA reporting the above error. To fix this problem, you must edit the Tomcat server.xml file, change the maxHttpHeaderSize attribute, and then restart DPA. The server.xml file can be found here:
    {DPA Install Dir}\iwc\tomcat\conf\server.xml   (for Windows)
    or
    {DPA Install Dir}/iwc/tomcat/conf/server.xml   (for UNIX or Linux)

     

    Look for the ConnectorPort element and add the maxHttpHeaderSize="20480" attribute to it. The example below sets the maxHttpHeaderSize to 20 KB, depending on your environment, this value may or may not suffice.

     

    connectorPort="8123" maxHttpHeaderSize="20480" URIEncoding="UTF-8"
Last modified
19:07, 22 Jun 2016

Tags

Classifications

Public