Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Configure LDAP and SSO for support use

Configure LDAP and SSO for support use

Updated July 10, 2017

Overview

This article is a shortened version (quick reference) that describes how to configure LDAP and SSO. It does assume that you understand the longer version of this article in the Admin/User Guide. The procedure is broken down into two parts, with the LDAP required first.

Environment

LEM 6.3.x and later

Steps

LDAP configuration for LEM 6.3.1 for all AD login to LEM GUI Console

  1. Open the VSphere Console or PuTTY and enter viewnetconfig under the appliance menu to obtain the LEM host name and IP address (should be just a hostname , not a FQDN).
    Having a FQDN will cause issues if planning to use a CA-certificate instead of the default self-signed certificate.
  2. Launch DNS on the DNS server (typically a domain controller) and create a host record for the 'actual' LEM hostname.
  3. On the domain controller, open AD Users & Computers and create an SPN user (service account that LEM uses to reach AD, with a non-expiring password).
  4. On the domain controller, open AD Users & Computers, and then select the specific security groups as they would apply to the LEM functional role (or create groups as listed below). If using existing groups be sure that the users "primary group" membership is not the same group assigned to this LEM role.
    • ROLE_LEM_ADMINISTRATORS - Add users to this group who log in to LEM with admin privileges.
    • ROLE_LEM_REPORTS - Add users to this group when using TLS communications for the Reports application.
    • ROLE_LEM_CONTACTS - Add users to this group for email alerts even when the user does not have a login to the Web GUI Console.
    • ROLE_LEM_AUDITOR - Add users to this group if a user is restricted to read-only access in Rules.
    • ROLE_LEM_ALERTS_ONLY - Add users to this group if a user is restricted to read-only access in the GUI Console.
      Note: LEM 6.3.1 hotfix 2 is required if you are using existing security groups.
  5. Open https://swi-lem:8443/mvc/login in LEM and login using the local 'admin' user account.
  6. Select LDAP configuration and enter the following information:
    • Friendly name for this configuration
    • IP/hostname for DC
    • User name (SPN user) of the service account and password (this is LEM connecton to AD)
    • Port number (always try non-SSL port 389 as a test, unless SSL was forced/configured on port 636)
      Note: Fill out any alias used if you have LEM 6.3.1 hotfix 2.
  7. Log in to the GUI Console and open https://swi-lem:8443/lem.
  8. Enter the desired LDAP user account (user@mydomain.com or mydomain.com\user) when prompted.

AD users that were previously added to a group can be added under the GUI Console for rules and emails (under Build > Users).

SSO configuration to allow users to log in to the LEM GUI Console without entering their credentials

  1. Use the ktpass command on the DC command line prompt to create a key tab:
    Note: This command is case sensitive.
    ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password> -mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto ALL -out c:\lem.keytab
    FQDN is the LEM hostname with a fully qualified domain name. For example, swi-lem.my-domain.com.
    REALM is your domain in uppercase. For example, MY-DOMAIN.COM.
    SPN_account_password is the password for the user created in the above LDAP configuration.
    mapuser <domain_name>\<user_name> is the username created in above LDAP configuration.
  2. Open https://<lem_manager_IP_address>:8443/mvc/login in a browser.
  3. Enter your admin user account and password.
  4. Select SSO Configuration and enter   SPN: HTTP/<fqdn>@<REALM.
    Note: C
    onfiguring SSO will (by default) disable the LEM local users (including admin user) for security reasons.
  5. Configure the browser:
    Internet Explorer - Under the Security tab, set your local intranet sites to automatically detect an intranet network with no other options. In your Local Intranet Advanced settings, add your FQDN or URL as a website in the Local Intranet zone.

    Google Chrome - Chrome will inherit the settings from Internet Explorer, or just follow the IE settings above.
    Mozilla Firefox - Perform the following actions:
    1. Enter about:config in the address bar.
    2. Enter network.negotiate-auth.trusted-uris in the Filter field.
    3. Double-click network.negotiate-auth.trusted-uris in the list.
    4. Enter the FQDN or URL information that you use for LEM.
  6. Log in to https://swi-lem:8443/lem. You will automatically be logged in if SSO is working.
  7. If it fails, open PuTTY or VSphere Console and enter the import command to save and import the key tab manually.
  8. Log in to https://swi-lem:8443/mvc/login.
  9. Click SSO Login and select SSO Config Mgmt.
  10. Select SSO only or Credentials & SSO (allows local creds and SSO creds) according to your preference.

These settings can also be done from the CMC login using the admin command.
 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

Last modified

Tags

Classifications

Public