Configuring the Single Sign On (SSO)

Before you start the procedure, check the following requirements:

• All servers with Windows Server 2019 or 2022 environment are connected in a domain;
• Domain Controller with AD user group is configured on Windows Server.

To configure and use the Single Sign On (SSO) with Fudo Enterprise, please follow below steps.

Note

Please note that this is a general guide, and specific details may vary depending on your Windows Server setup. Refer to the Windows Server documentation for precise configuration steps.

SSO configuration on Windows Server 2019

Add User:

1. Log in to the server on which you want to setup the SSO using the administrator account.
2. Open the Server Manager application.
3. Click Tools button on the upper right corner of the window to expand the menu list and select Active Directory Users and Computers.

4. In the Manager window, navigate to the domain name, or a specific user group, and right-click on the Users catalog.
5. Select New > User.
6. Create a user who will use SSO to log in to Fudo Enterprise (e.g., User logon name: ad-user1).

7. Click Next.
8. Provide the password for created user (e.g., PaSSwOrD) and select Password never expires option.
9. Click Next and Finish.

Configure DNS entries:

1. Open the Server Manager application.
2. Click Tools button on the upper right corner of the window to expand the menu list and select DNS.

3. Go to Forward Lookup Zones, right click on the domain name and select New Host.
4. Provide the Name and IP address of the Fudo Enterprise Admin Panel (e.g., mgmt241.qa.sso, 10.0.32.241).
5. Click Add Host.

6. Right click on Reverse Lookup Zone and select New Zone.
7. Click Next.
8. Select Primary zone option and click Next.
9. Select To all DNS servers running on domain controllers in this domain: option and click Next.
10. Select IPV4 Reverse Lookup Zone option and click Next.
11. In the Network ID field, type in the start of the subnet range of your network (e.g., 10.0.32) and click Next.

12. Choose the dynamic update option (e.g., Allow only secure dynamic updates) and click Next.
13. Click Finish.
14. Right click on created zone 32.0.10.in-addr.arpa and select New Pointer (PTR).
15. Provide the Host IP Address and Host name of the Admin Panel (e.g., 10.0.32.241 and mgmt241.qa.sso).

Create Kerberos ticket:

1. Run the following command in the Powershell or CMD console:

   ktpass -princ HTTP/hostname.yourdomain.local@yourdomain.local -mapuser netbios_domain_name\username -pass password -ptype KRB5_NT_PRINCIPAL -out hostname.yourdomain.local.keytab

   • Example for this use case:

   ktpass -princ HTTP/mgmt241.qa.sso@QA.SSO -mapuser QA\ad-user1 -pass PaSSwOrD -ptype KRB5_NT_PRINCIPAL -out mgmt241.qa.sso.keytab

2. Copy the generated keytab file to the workstation where you will be configuring Fudo.

Setup Fudo Enterprise

Note

This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.

Configure SSO:

In order to define SSO service parameters in Fudo Enterprise, follow the steps:

1. Login into your Fudo Enterprise Admin Panel using the credentials for user with superadmin role.

2. Select Settings > System.

3. In the Timezone section, check if the selected timezone is consistent with the Windows client timezone configuration.

Warning

Fudo Enterprise Timezone must match the Windows client timezone configuration.

4. Select Settings > Authentication.
5. Go to Global tab.
6. In the SSO section, click the Upload button next to the Management SSO settings field.

7. In the Principal name field, provide service identifier that will match the user account with the service instance (e.g., HTTP/mgmt241.qa.sso@QA.SSO).
8. In the Keytab field, upload the keytab file containing user’s ID and encryption keys for encrypting and decrypting Kerberos tickets (generated in previous steps mgmt241.qa.sso.keytab file).

9. Click Save.

Note

You can also configure SSO for the User Access Gateway by uploading the appropriately configured keytab file in the User Access SSO settings field. Remember to use the Access Gateway IP address when configuring the Windows environment.

Configure DNS:

1. Go to Settings > Network configuration.
2. Switch to the Name & DNS tab.

3. Enter hostname.yourdomain.local in the Hostname field (e.g., mgmt241.qa.sso).

4. Configure DNS server to point to a DNS server in the yourdomain.local domain (in this example we will use a domain controller IP address):

   • Click Add DNS server to define new DNS server.
   • Enter DNS server IP address (e.g., 10.0.242.100).
   • Click Save.

Configure external authentication method:

1. Login into your Fudo Enterprise Admin Panel.

2. Select Settings > Authentication.
3. In the External authentication tab click Add an external authentication.

4. In the Name field, provide a name for this configuration.
5. Set the Bind address to Any.
6. In the General field select Active Directory.
7. In the Host field provide the Domain Controller IP address (e.g., 10.0.242.100).
8. Leave default port number: 389.
9. Provide the name of the domain which will be used for authenticating users in Active Directory (e.g., qa.sso).
10. In the Login and Secret fields provide the privileged account’s login credentials used to access the Domain Controller.

10. Click Save.

Create User in Fudo:

Warning

Single Sign On setup is available only for users with the superadmin role, and can be used by users with the operator, admin, and superadmin roles.

1. Select Management > Users and then click Add user.

2. Enter the user name that matches created in previous steps user account in Active Directory (e.g., ad-user1).
3. Select the Admin role.
4. In the Settings tab, under the Safes section, select main to grant access rights to the Admin Panel.

5. Click Save.

6. Go to the Authentication section and from the Add authentication method drop down list select External authentication.

7. Chose created in previous steps Active Directory method and click Save.

8. In the User Data tab, fill in the Fudo domain and AD domain (e.g., qa.sso).

Note

Both the Fudo domain and AD domain should match the domain name specified in the Kerberos ticket.

9. If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.

10. Click Save and close.

Setup and check user workstation - Windows2010 Client

Firefox browser configuration:

1. Log in to Windows Client using the ad-user1 account.
2. Open Firefox, type about:config in the address bar, and press Enter.
3. A warning message will appear. Click on Accept the Risk and Continue option to proceed.
4. In the search bar at the top, type network.negotiate-auth.trusted-uris.
5. Double-click on the network.negotiate-auth.trusted-uris and enter the desired FQDN (Fully Qualified Domain Name) with a protocol, separating entries with a comma (e.g., https://mgmt241.qa.sso,https://uag242.qa.sso).
6. Press Enter to save the changes.

7. Next, type in network.automatic-ntlm-auth.trusted-uris in the search bar.
8. Double-click on the network.automatic-ntlm-auth.trusted-uris and enter the desired FQDN (Fully Qualified Domain Name) with a protocol, separating entries with a comma (e.g., https://mgmt241.qa.sso,https://uag242.qa.sso).
9. Press Enter to save the changes.
10. Restart the browser.

Internet Explorer browser configuration:

1. Navigate to Tools > Internet Options > Advanced.
2. On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication.

3. On the Security tab, select Local Intranet.
4. Click Custom Level.
5. In the User Authentication/Logon section, select Automatic logon only in Intranet zone.

6. Click OK.
7. Click Sites and select all check boxes.
8. Click Advanced and add Remedy SSO service website to the local zone (in our example, it’s https://mgmt241.qa.sso).
9. Click Add.
10. Click OK for all pop-ups.
11. Uruchom ponownie przeglądarkę.

Chrome browser configuration:

Google Chrome supports Kerberos authentication. Once Internet Explorer is configured, no additional settings are needed for Google Chrome, as it relies on Internet Explorer’s configuration.

Log into the Admin Panel using SSO:

1. Open the Firefox browser and enter the previously defined FQDN in the address bar ( in our example, it’s https://mgmt241.qa.sso).
2. The Fudo Enterprise Admin Panel Dashboard will appear without the need to use login credentials.

Related topics:

• Single Sign On
• Authentication