Submit a ticketCall us

WebinarVisual Monitoring Tactics: Getting More Log Search Value from SolarWinds Log & Event Manager with nDepth Webcast

Do things seem to make more sense when they are visualized? Are you an IT professional or security expert with a wish for more cybersecurity tools that provide an intuitive visual experience? Join Alexis Horn and Jamie Hynds from SolarWinds as they demonstrate how the nDepth feature in LEM can help make visualizing log search results a reality.

Register now.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Set up single sign-on (SSO) in LEM

Set up single sign-on (SSO) in LEM

Updated: September 15, 2017

LEM supports Active Directory single sign-on (SSO). When enabled, LEM does not request a user name and password if the user is already logged in to Active Directory (AD). Instead, AD authenticates the user in the background, and automatically logs the user in to LEM with the appropriate user access rights. User access in the LEM consoles (desktop, web, and the LEM reports application), is based on AD group membership.

Set up Active Directory authentication in LEM

First configure Active Directory authentication and verify that users can log in to LEM with their AD credentials. For details, see Set up Active Directory authentication in LEM. After verifying that users can log in to LEM with their AD credentials, complete the next step.

Generate a keytab file using Ktpass

To configure LEM for Active Directory SSO, a Kerberos keytab file is required. LEM uses this file to authenticate users with Active Directory and to enforce user account security. The keytab file is exported from Active Directory and imported into LEM, and contains a table of Active Directory user accounts, along with the encrypted hash of each users' password. Ktpass is the Windows Server command-line tool that generates the .keytab file, as well as the shared secret key that LEM uses to securely authenticate users with ActiveDirectory.

Before you run the ktpass command, gather the following information:

  • Fully-qualified domain name (FQDN) of the LEM VM – The FQDN is the complete domain name of the LEM virtual machine on the Internet. It includes the host name (the label assigned to a device on the network), and the name of the domain that hosts the device. For example, if the device name is swi-lem and the company domain is yourcompany.local, the FQDN is swi-lem.yourcompany.local.

  • Realm – This is the Active Directory Domain Services (AD DS) domain name. The realm name is used to route authentication requests to the Active Directory server that holds user credentials. The realm name is case sensitive and normally appears in upper-case letters. To simplify your Kerberos client configuration, make the realm name identical to your DNS domain name by only using upper-case letters. For example, if YourCompany belongs to the DNS domain name, the Kerberos realm should be YOURCOMPANY.COM.

  • Service principal name (SPN) – The SPN provides an alias (or pointer) to your domain account. The SPN consists of the FQDN, followed by the @ symbol, followed by the realm.

    For example, the SPN for a device named swi-lem located at would be http/swi-lem.yourcompany.local@YOURCOMPANY.COM where swi-lem.yourcompany.local is the FQDN, and YOURCOMPANY.COM is the realm.

  1. Do the following to obtain the LEM host name and IP address:

    1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

    2. At the prompt, enter appliance to access the Appliance menu.


    3. At the prompt, enter viewnetconfig.
    4. When prompted, enter b to select the brief network configuration.
    5. Record the domain name, host name, and the host name's resolved IP address.
    6. Exit the management console.
  2. Create a new user (host) in DNS:
    1. Open DNS manager on your domain controller.
    2. Create an A record entry for LEM on the DNS server using the host name and IP address. Verify that DNS Manager populated the domain field with the correct domain membership.

  3. Open Active Directory Users and Computers.
  4. Create an organizational unit (OU) and name it Keytab.
  5. Select the Keytab OU and create a new user account (or Service Principle Name [SPN]).

    Write down the SPN. You will need it in a later step.

  6. Use the Kerberos keytab file using the ktpass command:

    1. Log in to the Active Directory server as an administrator.
    2. Open a command prompt as an administrator.
    3. Run the following ktpass command:

      ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password> 
      -mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto ALL -out c:\lem.keytab

      If you receive an error when you run the command, replace the -mapuser argument with -mapuser <user_name>.

      The ktpass command takes the following arguments:

      • -princ specifies the server principal name (SPN) in the form HTTP/<fqdn>@<REALM>. You will use this path in your LEM configuration.
      • -pass is the SPN account password.
      • -mapuser maps the Kerberos principle name (specified in the -princ argument) to the specified domain account.
      • -pType specifies the principal type as Kerberos 5 for Microsoft Windows.
      • -crypto specifies the encryption type. Entering ALL indicates all supported types. This can include Data Encryption Standard (DES), Rivest Cipher 4 (RC4), and Advanced Encryption Standard (AES) encryption types. See "ktpass" on the Microsoft TechNet website for more information about supported crypto types.
      • -out specifies the name and location for the generated Kerberos 5 keytab file.
  7. Navigate to the keytab file location (for example, c:\lem.keytab specified in the -out argument).
  8. Import the keytab file into LEM to allow LEM access to Active Directory.

Configure SSO settings in LEM using the Admin web console

You can use the command line to configure SSO settings in LEM. For details, see Configure SSO settings in LEM using the command-line.

  1. Open a web browser and connect to the LEM Admin user interface using the following URL:


    If you have not yet activated LEM, or if you reopened port 8080, use the following URL:


    You can also access the Admin user interface by entering admin at the cmc> prompt.

  2. Enter your name and password in the log in screen.

    The Settings / Authentication page opens.

  3. Click SSO Configuration.


  4. Complete the form:


    1. Enter the SPN in the Service Principle Name (SPN) field. See Generate a keytab file using Ktpass for details.

      For example: http/swi-lem.yourcompany.local@YOURCOMPANY.COM

    2. Click Browse and select the keytab file.

  5. Click Save.

    Your keytab file is uploaded to LEM. If you are logged in as a local user, LEM logs you out of the Admin user interface.

SSO is now configured on LEM.

Configure web browser settings for SSO

Follow the appropriate procedure to enable Kerberos authentication for SSO in your web browser.

Internet Explorer

By default, Internet Explorer does not restrict the transmission of login credentials for intranet sites. However, your company may have policies that have this restriction on intranet sites.

To add the LEM Manager URL to the list of trusted intranet sites:

  1. Open Internet Options.
  2. Under Security, set your local intranet sites to automatically detect an intranet network with no other options.
  3. In your Local intranet Advanced settings, add your FQDN or URL as a website in the Local Intranet zone.

    For example:

    swi-lem or https://swi-lem

  4. Save your settings and close Internet Options.

Mozilla Firefox

  1. Open Firefox and enter about:config in the address bar.
  2. Enter network.negotiate-auth.trusted-uris in the Filter field.
  3. Double-click network.negotiate-auth.trusted-uris in the list.
  4. Enter the fully-qualified domain name (FQDN) or URL that you use for LEM.

    For example:

    The web browser is now configured for SSO.

Google Chrome and Opera

Add the LEM Manager URL to the list of trusted intranet sites in Internet Explorer, and then install Chrome or Opera on your workstation. Chrome and Opera inherit their settings from Internet Explorer if they were installed after you entered the trusted intranet sites into Internet Explorer.

Configure LEM for either SSO-only authentication, or SSO and local authentication

Complete these steps to configure which credentials users can use to log in to LEM. You can allow users to log in with either local LEM credentials or SSO (LDAP) credentials, or you can restrict users to only SSO (LDAP) credentials.

  1. Log in to the LEM admin user interface. See Log in to the LEM admin user interface for steps.
  2. Click SSO Configuration.

    The SSO Configuration Management screen opens.


  3. Click the File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0310-Set_up_single_sign-on_SSO_in_LEM/admin-toggle.png toggle switch to enable the service.


  4. Click the Enabled authentications list and choose from the following:

    • Credentials and SSO – Allows users to log in with either local LEM credentials or SSO (LDAP) credentials.
    • SSO only – Restricts users to log in with only SSO (LDAP) credentials.


  5. Click Save.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.

Configure SSO settings in LEM using the command-line

Use these alternate steps if you do not want to use the LEM admin user interface to upload the keytab file. (You do not have to repeat this process if you already uploaded the keytab file to LEM.)

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, enter import


  3. Follow the prompts on your screen to complete the import.

    The file is uploaded in the appliance file system.

  4. Return to the management console menu.
  5. At the cmc> prompt, enter admin to access the admin command-line interface.
  6. Enter your user name and password.


  7. Arrow down to LOGIN, and press Enter.
  8. Arrow down to SSO configuration, and press Enter.


  9. Arrow down to Add New Configuration and press Enter.

    The content on this screen may vary with your LEM implementation.


  10. Enter your SSO configuration settings.


    1. Enter the Service Principle Name (SPN). See Generate a keytab file using Ktpass for details.

      For example: http/swi-lem.yourcompany.local@YOURCOMPANY.COM

    2. Enter the path to your keytab file using the following syntax:


  11. Arrow down to Save, and press Enter.

    The upload is completed.

  12. Exit the management console.
    SSO is now configured on your appliance.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.

Last modified