Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Advanced LEM configurations > Set up single sign-on (SSO) in LEM

Set up single sign-on (SSO) in LEM

LEM supports Active Directory single sign-on (SSO). When enabled, LEM does not request a user name and password if the user is already logged in to Active Directory (AD). Instead, AD authenticates the user in the background, and automatically logs the user in to LEM with the appropriate user access rights.

Kerberos authentication ensures that SSO details are securely transmitted between LEM and Active Directory. To configure LEM for Active Directory SSO, a Kerberos keytab file is required. The keytab file is exported from Active Directory and imported into LEM. LEM uses this file to authenticate users with Active Directory and to enforce user account security. User access in the LEM consoles (desktop, web, and the LEM reports console), is based on AD group membership.

Set up Active Directory authentication in LEM

First configure Active Directory authentication and verify that users can log in to LEM with their AD credentials. For details, see Set up Active Directory authentication in LEM. After verifying that users can log in to LEM with their AD credentials, complete the next step.

Generate a keytab file using Ktpass

LEM requires a keytab file to authenticate users with Active Directory over the Kerberos protocol. This file contains a table of Active Directory user accounts, along with the encrypted hash of each users' password. Ktpass is the Windows Server command-line tool that generates the .keytab file, as well as the shared secret key that LEM uses to securely authenticate users with ActiveDirectory.

Before you run the ktpass command, gather the following information:

  • Fully-qualified domain name (FQDN) of the LEM VM – The FQDN is the complete domain name of the LEM virtual machine on the Internet. It includes the host name (the label assigned to a device on the network), and the name of the domain that hosts the device. For example, if the device name is swi-lem and the company domain is yourcompany.local, the FQDN is swi-lem.yourcompany.local.

  • Realm – This is the Active Directory Domain Services (AD DS) domain name. The realm name is used to route authentication requests to the Active Directory server that holds user credentials. The realm name is case sensitive and normally appears in upper-case letters. To simplify your Kerberos client configuration, make the realm name identical to your DNS domain name by only using upper-case letters. For example, if YourCompany belongs to the DNS domain name yourcompany.com, the Kerberos realm should be YOURCOMPANY.COM.

  • Service principal name (SPN) – The SPN provides an alias (or pointer) to your domain account. The SPN consists of the FQDN, followed by the @ symbol, followed by the realm.

    For example, the SPN for a device named swi-lem located at http://www.yourcompany.com would be http/swi-lem.yourcompany.local@YOURCOMPANY.COM where swi-lem.yourcompany.local is the FQDN, and YOURCOMPANY.COM is the realm.

  1. Do the following to obtain the LEM host name and IP address:

    1. Open a connection to the LEM appliance management console using one of the following methods:

      • Vsphere console connection
      • Hyper-V console connection
      • PuTTY session on port 32022 or port 22 as a cmc user
    2. At the prompt, enter appliance to access the Appliance menu.

      File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem_qsg_putty_log_in4_400x225.png

    3. At the prompt, enter viewnetconfig.
    4. When prompted, enter b to select the brief network configuration.
    5. Record the domain name, the host name, and the host name's resolved IP address.
    6. Exit the management console.
  2. Create a new host in DNS:

    1. Open DNS Manager on your domain controller.
    2. Create an A record entry for LEM on the DNS server using the host name and IP address. Verify that DNS Manager populated the domain field with the correct domain membership.
  3. Open Active Directory Users and Computers.
  4. Create an organizational unit (OU) and name it Keytab.
  5. Select the Keytab OU and create a new user account (or Service Principle Name [SPN]).

    Write down the SPN. You will need it in a later step.

  6. Generate the Kerberos keytab file using the ktpass command.

    1. Log in to the Active Directory server as an administrator.
    2. Open a command prompt as an administrator.
    3. Run the following ktpass command:

      ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password> -mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto ALL -out c:\lem.keytab

      If you receive an error when you run the command, replace the -mapuser argument with -mapuser <user_name>.

      The ktpass command takes the following arguments:

      • -princ specifies the server principal name (SPN) in the form HTTP/<fqdn>@<REALM>. You will use this path in your LEM configuration.
      • -pass is the SPN account password.
      • -mapuser maps the Kerberos principle name (specified in the -princ argument) to the specified domain account.
      • -pType specifies the principal type as Kerberos 5 for Microsoft Windows.
      • -crypto specifies the encryption type. Entering ALL indicates all supported types. This can include Data Encryption Standard (DES), Rivest Cipher 4 (RC4), and Advanced Encryption Standard (AES) encryption types. See "ktpass" on the Microsoft TechNet website for more information about supported crypto types.
      • -out specifies the name and location for the generated Kerberos 5 keytab file.
  7. Navigate to the keytab file location (for example, c:\lem.keytab specified in the -out argument).
  8. Import the keytab file into LEM to allow LEM access to Active Directory.

Configure SSO settings in LEM using the Admin web console

You can use the command line to configure SSO settings in LEM. For details, see Configure SSO settings in LEM using the command-line.

  1. Open a web browser and connect to the LEM Admin user interface using the following URL:

    https://<lem_manager_IP_address>:8443/mvc/login
     

    If you have not yet activated LEM, or if you reopened port 8080, use the following URL:

    http://<lem_manager_IP_address>:8080/mvc/login

    You can also access the Admin user interface by entering admin at the cmc> prompt.

  2. Enter your name and password in the log in screen.

    The Settings / Authentication page opens.

  3. Click SSO Configuration.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-authentication-menu-new_344x169.png

  4. Complete the form:

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-add-sso-configuration_343x192.png

    1. Enter the SPN in the Service Principle Name (SPN) field. See Generate a keytab file using Ktpass for details.

      For example: http/swi-lem.yourcompany.local@YOURCOMPANY.COM

    2. Click Browse and select the keytab file.

  5. Click Save.

    Your keytab file is uploaded to LEM. If you are logged in as a local user, LEM logs you out of the Admin user interface.

SSO is now configured on LEM.

Configure web browser settings for SSO

Follow the appropriate procedure to enable Kerberos authentication for SSO in your web browser.

Internet Explorer

By default, Internet Explorer does not restrict the transmission of login credentials for intranet sites. However, your company may have policies that have this restriction on intranet sites.

To add the LEM manager URL to the list of trusted intranet sites:

  1. Open Internet Options.
  2. Under Security, set your local intranet sites to automatically detect an intranet network with no other options.
  3. In your Local intranet Advanced settings, add your FQDN or URL as a website in the Local Intranet zone.

    For example: 

    swi-lem or https://swi-lem

  4. Save your settings and close Internet Options.

Mozilla Firefox

  1. Open Firefox and enter about:config in the address bar.
  2. Enter network.negotiate-auth.trusted-uris in the Filter field.
  3. Double-click network.negotiate-auth.trusted-uris in the list.
  4. Enter the fully-qualified domain name (FQDN) or URL that you use for LEM.

    For example: mylemappliance.example.com

    The web browser is now configured for SSO.

Google Chrome and Opera

Add the LEM Manager URL to the list of trusted intranet sites in Internet Explorer, and then install Chrome or Opera on your workstation. Chrome and Opera inherit their settings from Internet Explorer if they were installed after you entered the trusted intranet sites into Internet Explorer.

Log in to the LEM Admin web console using Active Directory credentials

Use a login account in the Admin Group to log in to the Admin web console. You can use either SSO or your Active Directory (LDAP) credentials.

To see which Active Directory group is mapped to the LEM Admin Group, open the "LDAP Configuration Management" page and expand the list under "Advanced Settings." See Configure SSO settings in LEM using the Admin web console for details.

Your login screen will vary depending on the options you selected during setup.

File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-log-in-using-sso_361x143.png

Configure LEM for either SSO-only authentication, or SSO and local authentication

Complete these steps to configure which credentials users can use to log in to LEM. You can allow users to log in with either local LEM credentials or SSO (LDAP) credentials, or you can restrict users to only SSO (LDAP) credentials.

  1. Open a web browser and connect to the LEM Admin user interface using the following URL:

    https://<lem_manager_IP_address>:8443/mvc/login
     

    If you have not yet activated LEM, or if you reopened port 8080, use the following URL:

    http://<lem_manager_IP_address>:8080/mvc/login

    You can use the command line to configure these settings by entering admin at the cmc> prompt.

  2. Log in using SSO or enter your user name and password.
  3. Click SSO Configuration.

    The SSO Configuration Management screen opens.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-sso-only2_344x137.png

  4. Click the File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/admin-toggle.png toggle switch to enable the service.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-sso-only3_344x132.png

  5. Click the Enabled authentications list and choose from the following:

    • Credentials and SSO – Allows users to log in with either local LEM credentials or SSO (LDAP) credentials.
    • SSO only – Restricts users to log in with only SSO (LDAP) credentials.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-enabled-authentications_344x52.png

  6. Click Save.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.

Configure SSO settings in LEM using the command-line

Use these alternate steps if you do not want to use the LEM Admin web console to upload the keytab file. (You do not have to repeat this process if you already uploaded the keytab file to LEM.)

  1. Connect to your LEM appliance using the VMware console view or an SSH client (such as PuTTY).

    To connect your appliance using VMware, select Advanced Configuration on the main console screen and press Enter to access the command prompt.

    To connect your appliance through SSH, log in as the CMC user using default SSH port 22 or port 32022 and provide the password.

    The default password is password.

  2. Access the management console menu.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem_qsg_putty_log_in4_348x195.png

  3. At the cmc> prompt, enter import
  4. Follow the prompts on your screen to complete the import.

    The file is uploaded in the appliance file system.

  5. Return to the management console menu.
  6. At the cmc> prompt, enter admin to access the admin console.
  7. Enter your user name and password.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-upload-keytab1_349x200.png

  8. Arrow down to LOGIN, and press Enter.
  9. Arrow down to SSO configuration, and press Enter.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-upload-keytab-2_349x199.png

  10. Arrow down to Add New Configuration and press Enter.

    The content on this screen may vary with your LEM implementation.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-upload-keytab-3_349x199.png

  11. Enter your SSO configuration settings.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/040/lem-ug-single-signon-upload-keytab-4_350x201.png

    1. Enter the Service Principle Name (SPN). See Generate a keytab file using Ktpass for details.

      For example: http/swi-lem.yourcompany.local@YOURCOMPANY.COM

    2. Enter the path to your keytab file using the following syntax:

      /var/transfer/storage/<your_keytab_file_name>.keytab

  12. Arrow down to Save, and press Enter.

    The upload is completed.

  13. Exit the management console.
    SSO is now configured on your appliance.

Updates take place immediately. Log in using the appropriate credentials to verify that the settings are correct.

 

 
Last modified
17:00, 5 May 2017

Tags

Classifications

Public