INUVIKA TECHNICAL GUIDE

Transcription

1 Version 1.7 July 10, 2018 Passing on or copying of this document, use and communication of its content not permitted without Inuvika written approval

2 PREFACE This document explains the steps to implement a Single Sign-On for users of Inuvika OVD with a Microsoft Active Directory integration using Kerberos. Page 2

3 HISTORY Version Date Comments Updates for OVD 2.5. Removing CAS Reformatting Updates for OVD Corrections for config files Updates for OVD Documentation clarifications and additions for CentOS/RHEL Fix typos and clarifications Initial version Page 3

4 TABLE OF CONTENTS 1 Introduction Active Directory and Kerberos Auth Method Understanding Kerberos Concepts OVD and SSO Related Documentation Pre-Requisites Server Environment Session Manager IP Configuration Workstation and Domain Account Client Compatibility Integrating Microsoft Active Directory with OVD Network Overview 8 4 Session Manager Configuration FQDN and DNS Compatiblity System Hostname Definition Active Directory DNS Time Synchronization Install and Configure Kerberos Verification Joining the Domain Active Directory Users and Computers Create a Service Ticket Apache and Kerberos Validate the Configuration Kerberos and OVD OWA HTML5 Client 26 6 Enterprise Desktop Client Workstation Configuration AllowTGTSessionKey Enable DES EDC Troubleshooting Validate Test Case DNS Issues Clock Skew OWA HTML EDC Static IP Address Configuration Apache Group Page 4

5 1 INTRODUCTION 1.1 ACTIVE DIRECTORY AND KERBEROS AUTH METHOD The Kerberos authentication protocol provides a mechanism for authentication - and mutual authentication - between a client and a server, or between one server and another server. Microsoft s Active Directory is an implementation of a Kerberos authentication realm. Kerberos enabled servers with the authentication realm will allow users to sign-in to Windows workstations that are joined to the Microsoft Domain and to access resources in that domain. A user does not need to provide the authentication credentials again once signed-in. This is known as Microsoft Single Sign-On (SSO). A detailed overview of Microsoft and Kerberos authentication can be found at: com/en-us/library/cc780469%28v=ws.10%29.aspx UNDERSTANDING KERBEROS CONCEPTS The Kerberos authentication protocol is standard on all versions of Windows. A typical Kerberos implementation consists of 3 server entities: Key Distribution Center (KDC) which typically is installed on the Domain Controller (the primary Microsoft Active Directory server); A client workstation that is a part of the domain; and A server with the desired service to access. An overview of a typical Kerberos workflow can be found at: bb aspx 1.2 OVD AND SSO The default Inuvika OVD authentication method requires a login and password and uses the internal MySQL database to store the user credentials. OVD can also be configured to use external authentication services such as LDAP, Novell, and Microsoft Active Directory. A Single Sign-On mechanism aims to authenticate a user only once on a secure authorization platform and then connect the user to the various external resources by re-using the credentials. OVD is compatible with several SSO solutions, such as SAML2. Integrating OVD with Active Directory SSO will provide users a way to login to an OVD session without sharing any login details; instead, the credentials previously delivered by Active Directory during the initial authentication process, will be re-used. The following sections describe the configuration process that enables OVD to use SSO with Active Directory. 1.3 RELATED DOCUMENTATION The following OVD Enterprise documentation is available: Microsoft Active Directory Integration Guide Administration Guide SAML 2.0 Configuration Guide Page 5

6 2 PRE-REQUISITES 2.1 SERVER ENVIRONMENT The server environment must include a Microsoft Domain Controller as well as a typical OVD server farm. The Microsoft Domain Controller (DC) must have the following characteristics: Active Directory is installed and functional DNS Server is installed and functional Configured as an NTP host server Microsoft functional level 2008R2, or 2012R2 The OVD server farm must be able to access the Domain Controller and vice-versa. The OVD farm consists of the following: A server that has the OVD Session Manager, Web Access and Admin Console An OVD Application Server (ApS), either Windows or Linux or both An OVD File Server (OFS) Note - If OVD was configured to use the internal authentication method, any publications will need to recreated after changing the authentication method. - It is important to perform backups of your running OVD farm and Microsoft Active Directory server prior to executing any integration steps outlined from this point onwards. It is preferable to test your integration by cloning the servers or to re-create a new isolated environment so that you can conduct comprehensive testing of the OVD SSO integration. An isolated environment is required so that your production environment will not recognize the cloned Domain Controller to avoid any negative Domain Controller policy propagation. - The ApS and OFS cannot be installed on the same server as the Session Manager. There will be a configuration conflict otherwise which will prevent the system from working correctly. - All passwords are case sensitive 2.2 SESSION MANAGER IP CONFIGURATION The Session Manager IP address may be established either by using DHCP or by using a static IP configuration. In the case that a DHCP configuration is used and the DHCP service is not provided by the Active Directory server, the following must be ensured: The DHCP server must always provide the same IP to the Session Manager (MAC address match) The DHCP server must provide the Session Manager with the IP address of the active Directory server as the primary DNS server It is highly recommended to perform the above steps before proceeding further in the documentation.if it is not possible to validate the above steps then a possible workaround is to configure the Session Manager with a static IP address. Page 6

7 2.3 WORKSTATION AND DOMAIN ACCOUNT SSO integration requires that the user login with a user account managed by Microsoft Active Directory and also that the workstation is joined to the domain. 2.4 CLIENT COMPATIBILITY The SSO feature is compatible with OVD clients running on a Windows workstation that is joined to the Active Directory domain. SSO is compatible with the OVD Enterprise Desktop Client and OVD Web Access clients using a Windows workstation. It is not compatible with the Enterprise Mobile Client (Android, ios) or the Enterprise Desktop Client on Linux and Mac platforms or the Web Access clients running on Linux or Mac. 2.5 INTEGRATING MICROSOFT ACTIVE DIRECTORY WITH OVD OVD must be configured to use the Active Directory authentication method. Please refer to the Microsoft Active Directory Integration Guide for detailed instructions. For information about the Domain Integration Settings in the OVD Administration Console, please refer to the OVD Administration Guide. In the Domain Users section of the configuration page, ensure that the Use Internal method to handle users in OVD Sessions option is selected. The Use Active Directory to handle users in OVD sessions option is not compatible with Single Sign-On. After changing the authentication method, users must be assigned to the relevant user groups and publications created so that they can create a session. Session Data and user profiles that were created when Internal Authentication was enabled will no longer be accessible after switching to Active Directory. After creating the publications, verify that users can create access OVD correctly by having them login in and confirm that they see the same applications as before the modifications for Active Directory. Page 7

8 3 NETWORK OVERVIEW Figure 1: A standard OVD Network with a Microsoft Domain Controller Note In the figure above and throughout the example, the Microsoft Domain Controller is dc.test.demo and Session Manager is osm.test.demo. The Windows domain is test.demo. Page 8

9 4 SESSION MANAGER CONFIGURATION The Session Manager support for Windows SSO is based on using Samba to manage the Kerberos keytab, which is a file containing pairs of Kerberos principals and encrypted keys, and the krb5 user software which provides basic programs to authenticate using MIT Kerberos. The following sections describe how to setup Samba on the Session Manager server to provide this capability. 4.1 FQDN AND DNS COMPATIBLITY Windows Kerberos requires the use of FQDNs (Fully Qualified Domain Name), it will not work with IP addresses. Each server in a Kerberos authentication realm must be assigned a FQDN that is forwardresolvable. The Kerberos protocol also expects the server s FQDN to be reverse-resolvable. The reverse and forward lookup for a FQDN can be tested using the nslookup command SYSTEM HOSTNAME DEFINITION Before proceeding, make sure that the Session Manager server is configured correctly by entering the following commands and checking that the response is as expected: hostname - the expected response is osm hostname -f - the expected response is osm.test.demo If either of the responses is not as expected, follow the steps below to correct the configuration and then restest: 1. Make sure the system hostname is defined correctly (osm) and does not contain the network/domain name (test.demo) by editing the file /etc/hostname to define osm as hostname. 2. Edit the /etc/hosts file and ensure it contains the following lines, using the IP address and Session Manager FQDN applicable to your environment: osm. t e s t.demo osm 3. If you made any modification to the hostname configuration file or the /etc/hosts file, please reboot your server. 4. After reboot make sure the expected response is obtained for the hostname and hostname -f commands Note When configuring the hostname for your environment, the domain specified in the hostname should be the Windows domain name defined by the Active Directory Domain Controller ACTIVE DIRECTORY DNS Using the DNS server that is provided on the Active Directory server simplifies the requirements for FQDN when using Kerberos. To check that the DNS server is working correctly, perform the following steps: Page 9

10 1. Open the /etc/resolv.conf file on the Session Manager server and ensure that the name server is the Domain Controller s IP address. If not then: (a) For a DHCP configuration, go to section Session Manager IP Configuration and check the configuration is correct. (b) For a static IP configuration, change the system primary DNS to be the Active Directory Domain controller IP. For further information refer to section Static IP Address Configuration. nameserver search t e s t.demo 2. Save the file and verify that the name resolution works. ping t e s t.demo 4.2 TIME SYNCHRONIZATION Time Synchronization is critical for Kerberos authentication to work. The Domain Controller should be configured as the local network s time server (NTP server). Configure the Session Manager server to synchronize with the Domain Controller, and the Domain Controller to sync each hour against a reliable outside source. Make sure the clock time of the Domain Controller, the client workstation and Session Manager server are in sync. If the time difference is greater than five minutes, Kerberos may not work correctly. NTPD is a Linux software service to synchronize the time over the network using NTP (Network Time Protocol). This package should be installed and configured on the Session Manager server. 1. Install the package using the following commands: For Ubuntu apt get service i n s t a l l y ntp ntp stop For CentOS / RHEL 7 yum i n s t a l l ntp service ntpd stop 2. Synchronize the time by using the following command: ntpdate dc. t e s t.demo 3. Open the /etc/ntp.conf file (a) comment all the lines starting with server # more information #server 0. ubuntu. pool. ntp. org #server 1. ubuntu. pool. ntp. org #server 2. ubuntu. pool. ntp. org #server 3. ubuntu. pool. ntp. org Page 10

11 #Use Ubuntu ' s ntp server as a f a l l b a c k #server ntp. ubuntu. com (b) then set the Domain Controller as the ntp server server dc. t e s t.demo (c) Restart the service For Ubuntu service ntp s t a r t For CentOS / RHEL 7 service ntpd s t a r t 4.3 INSTALL AND CONFIGURE KERBEROS On the Session Manager server, install and configure the Kerberos package called Krb5 user. Then configure Kerberos to authenticate in the Active Directory domain. 1. Install the Kerberos package For Ubuntu apt get i n s t a l l y krb5 user For CentOS / RHEL 7 yum i n s t a l l krb5 workstation 2. Backup the Kerberos configuration file mv / etc / krb5. conf / etc / krb5. conf. old 3. Create a new file called /etc/krb5.conf and copy & paste the following lines into the file: [ l i b d e f a u l t s ] default_ realm =TEST.DEMO kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc mit t i c k e t f l a g s = true default_keytab_name = FILE : / etc / krb5. keytab [ realms ] t e s t.demo = { kdc = dc. t e s t.demo master_kdc = dc. t e s t.demo admin_server = dc. t e s t.demo Page 11

12 default_domain = t e s t.demo } [ domain_realm ] t e s t.demo = TEST.DEMO [ logging ] kdc = FILE : / var / log / krb5 / krb5kdc. log (a) Replace dc.test.demo by the FQDN of the Domain Controller of your Active Directory domain (b) Replace test.demo by the Active Directory domain name (c) Replace TEST.DEMO by the Active Directory domain name in upper case characters 4. Create the corresponding log directory /var/log/krb5 corresponding to the configuration file entry: mkdir p / var / log / krb5 touch / var / log / krb5 / krb5kdc. log touch / var / log / krb5 / kadmind. log VERIFICATION To verify that the installation and configuration were successful, perform the following test using kinit: k i n i t john@test.demo Password f o r john@test.demo: Note: You can use any Active Directory account for the test with or without the realm (user or user@domain). In the above example, the user is john. Check that the Ticket Granting Ticket (TGT) is correctly configured by using the following commands: k l i s t Information similar to that shown below should be displayed: T i c k e t cache : FILE : / tmp/ krb5cc_0 Default p r i n c i p a l : john@test.demo Valid s t a r t i n g Expires Service p r i n c i p a l 07/20/15 16:08:51 07/21/15 02:08:54 krbtgt / TEST.DEMO@TEST.DEMO renew u n t i l 07/21/15 16:08:51 In order to destroy the active TGT, enter the following command: kdestroy 4.4 JOINING THE DOMAIN The next step is to install and configure Samba so that the Session Manager server can be added to the Active Directory domain using Kerberos. Page 12

13 1. Install the Samba package For Ubuntu apt get i n s t a l l y smbclient For CentOS / RHEL 7 yum i n s t a l l samba c l i e n t 2. Take a backup of the samba configuration file smb.conf, using the command below: mv / etc / samba/smb. conf / etc / samba/smb. conf. old 3. Create a new /etc/samba/smb.conf file and copy/paste the following lines into it: [ global ] netbios name = osm realm = TEST.DEMO s e c u r i t y = ADS encrypt passwords = yes password server = dc. t e s t.demo workgroup = TEST kerberos method = dedicated keytab dedicated keytab f i l e = / etc / krb5. keytab (a) Replace the osm netbios name by your netbios name. (b) Replace dc.test.demo by the FQDN of the Domain Controller of your Active Directory domain (c) Replace TEST.DEMO by your Active Direcory domain in upper case characters (d) Replace TEST by your Active Directory Netbios name in upper case characters 4. Join the Session Manager server to the domain using the net ads join command with a domain administrator user (a user that has rights to add computers and users to the domain) by entering the command below: net ads j o i n U administrator@test.demo 5. Enter the administrator s password 6. Test the configuration using the following command: net ads t e s t j o i n 7. After performing that command, the computer is joined to the domain, and the SM server is now added as a computer object in Active Directory. Note If the user wants to further verify the system is working, use the following command: net ads info Output s i m i l a r to that shown below should be displayed : Page 13

14 LDAP server : LDAP server name: dc. t e s t.demo Realm : TEST.DEMO Bind Path : dc=test, dc=demo LDAP port : 389 Server time : Mon, 18 May : 40: 22 CEST KDC server : Server time o f f s e t : ACTIVE DIRECTORY USERS AND COMPUTERS The Session Manager must be configured in the Domain Controller so that it can be trusted for use with Kerberos. On the Domain Controller, open the Active Directory Users and Computers console. 1. Locate the osm object Figure 2: osm Computer Object 2. Right-click on the osm object to display the menu options for that object and select properties 3. Now modify the delegation setting. (a) In the Properties dialog, click on the Delegation tab. (b) In the Delegation dialog, choose Trust this computer for delegation for any service (Kerberos only). Page 14

15 Figure 3: osm Object Menu (c) Click on Apply and OK. The Session Manager is now configured in the Active Directory domain. 4.6 CREATE A SERVICE TICKET Up to this point, the system has been configured so that the Session Manager server is able to connect to the Active Directory domain. The next step is to get the Kerberos service keys in a keytab file so that the data can be used by the Apache web server on the Session Manager server. Samba is used to set the service principle(s) for Apache. 1. On the session manager server, login to a console as an administrator, in the example we are following this is administrator@test.demo. net ads keytab add HTTP U administrator@test.demo After entering the command, you should see output similar to that shown below: Processing p r i n c i p a l s to add... Enter administrator ' s password : 2. Now check that the /etc/krb5.keytab file contains the HTTP/osm.test.demo principal ticket by using the kutil command. k t u t i l Page 15

16 Figure 4: osm Properties Dialog Page 16

17 Figure 5: Delegation tab of the osm Object Page 17

18 Figure 6: Delegation Options for Windows 2008 and Windows 2012 Page 18

19 3. Enter the path to the keytab file. k t u t i l : r k t / etc / krb5. keytab 4. Type the command list to show the contents. k t u t i l : l i s t s l o t KVNO P r i n c i p a l 1 2 HTTP/osm. t e s t. demo@test.demo 2 2 HTTP/osm. t e s t. demo@test.demo 3 2 HTTP/osm. t e s t. demo@test.demo 4 2 HTTP/osm. t e s t. demo@test.demo 5 2 HTTP/osm. t e s t. demo@test.demo 6 2 HTTP/osm@TEST.DEMO 7 2 HTTP/osm@TEST.DEMO 8 2 HTTP/osm@TEST.DEMO 9 2 HTTP/osm@TEST.DEMO 10 2 HTTP/osm@TEST.DEMO k t u t i l : 5. Exit the utility using the exit command. k t u t i l : e x i t 6. Set access permissions for the keytab file. chmod 640 / etc / krb5. keytab 7. Set file group owner For Ubuntu chgrp www data / etc / krb5. keytab For CentOS / RHEL 7 chgrp apache / etc / krb5. keytab Note: We want to set the default posix group used by the Apache process as the group owner of the keytab file. If for any reason your system overrides the default configuration value please refer to Apache Group. 4.7 APACHE AND KERBEROS Please follow the steps below: 1. Install the package first For Ubuntu apt get i n s t a l l y libapache2 mod auth kerb Page 19

20 For CentOS / RHEL 7 yum i n s t a l l mod_auth_kerb 2. Enable the Apache module. The Apache module should be loaded automatically after installing the package. If the module does not load, enter the command below: a2enmod auth_kerb 3. Edit the configuration file: For Ubuntu / etc / apache2 / conf enabled / t e s t. conf For CentOS / RHEL 7 / etc / httpd / conf. d/ t e s t. conf 4. and copy the following data into the file: A l i a s " / t e s t " " / var /www/ t e s t " <Directory " / var /www/ t e s t "> AllowOverride None DirectoryIndex index. php AuthType Kerberos AuthName " Kerberos Login " KrbServiceName HTTP/osm. t e s t.demo KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms TEST.DEMO Krb5KeyTab / etc / krb5. keytab require valid user </ Directory > (a) Replace osm.test.demo by the FQDN of the Session Manager in your environment. (b) Replace TEST.DEMO by your Active Direcory domain in upper case characters 5. Create a folder test in the web server root mkdir p / var /www/ t e s t 6. Create a /var/www/test/index.php file and paste the following content in it: <?php echo "<h2>kerberos Auth </h2 > " ; echo " Auth type : ". $_SERVER [ ' AUTH_TYPE ' ]. "<br / > " ; echo "Remote user : ". $_SERVER [ ' REMOTE_USER ' ]. "<br / > " ; 7. Restart the Apache service For Ubuntu Page 20

21 service apache2 r e s t a r t For CentOS / RHEL 7 service httpd r e s t a r t VALIDATE THE CONFIGURATION The example below must be completed on a Windows workstation running a domain user. Please install Firefox for testing purposes. In this example, we recommend to use Firefox because it is an easier browser with which to configure Kerberos. If you want to use another browser, please refer to the information provided at: Note The Apache configuration presented here is not compatible with Internet Explorer or Google Chrome. First, configure Firefox to use Kerberos and then verify the configuration using HTTPS. 1. Run Firefox 2. In the URL field, enter the value about:config. 3. In the search field, enter network.nego. 4. Change the two values to match the OSM FQDN e.g. (a) network.negotiate-auth.delegation-uris: Right click and select modify to enter the value osm.test.demo (b) network.negotiate-auth.trusted-uris: osm.test.demo Right click and select modify to enter the value 5. Browse to the URL If SSO is working correctly, you will see information similar to the screenshot below: 4.8 KERBEROS AND OVD We have validated that Kerberos authentication over HTTP is working using a simple PHP example. The next step is to configure Kerberos authentication for the OVD Session Manager. 1. Duplicate the Apache SSL VirtualHost that already exists for the Session Manager: For Ubuntu cd / etc / apache2 / s i t e s enabled cp default s s l. conf ovd session manager kerb. conf For CentOS / RHEL 7 cd / etc / httpd / conf. d cp s s l. conf ovd session manager kerb. conf Page 21

22 Figure 7: about:config Page 22

23 Figure 8: Kerberos Authorization Page 23

24 2. Edit the ovd-session-manager-kerb.conf file (a) Delete all the lines that appear before and after the VirtualHost section. (b) Change the ServerName setting value to the OSM FQDN (osm.test.demo in this example) ServerName osm. t e s t.demo Note if no ServerName setting is defined yet, create a new one at the beginning of the VirtualHost definition. (c) Copy & paste the following bloc at the end of the VirtualHost definition <Location / ovd> AuthType Kerberos AuthName " Kerberos Login " KrbServiceName HTTP/osm. t e s t.demo KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms TEST.DEMO Krb5KeyTab / etc / krb5. keytab Require valid user </ Location > (d) Replace osm.test.demo by the FQDN of the Session Manager in your environment (e) Replace TEST.DEMO by the Active Directory domain name in upper case characters 3. Edit the default SSL VirtualHost configuration file and change the ServerName setting value to the IP address of the Session Manager. (a) For Ubuntu, the file is /etc/apache2/sites-enabled/default-ssl.conf (b) For CentOS / RHEL 7, the file is/etc/httpd/conf.d/ssl.conf ServerName Note 4. Reload the Apache configuration For Ubuntu If no ServerName setting is defined, add the setting in the SSL Virtual Host configuration file. service apache2 reload For CentOS / RHEL 7 service httpd r e s t a r t 5. Go to the OVD Administration Console page: Configuration / Authentication Settings (a) Check the RemoteUser authentication checkbox in the AuthMethod section (b) Set the Remove domain if exists option to yes in the RemoteUser section only if the Active Directory samaccountname is being used for the usernames. Otherwise, leave the setting set to no (c) Click on the Save button at the bottom of the page The SM is now configured to authenticate a user with Kerberos. The next step is to configure the OVD client to validate that the setup is working. Page 24

25 Figure 9: Enable AuthMethod Note: This configuration for the Session Manager provides both regular and Kerberos authentication. If you want to disable regular authentication, the easiest way is to uncheck the Password checkbox in the OVD Administration Console. Page 25

26 5 OWA HTML5 CLIENT The Kerberos Authentication for the HTML5 client will only work if the OWA is installed on the same system as the OSM and it is accessed via HTTPS. The OWA must be configured to address the OSM using or localhost. If it does not work, please review the steps mentioned in section Session Manager Configuration from the beginning through to section Validate the Configuration. 1. Edit the OWA configuration file /etc/ovd/web-access/config.inc.php (a) Uncomment the line define( OPTION_FORCE_SSO, true); (b) The SESSIONMANAGER_HOST setting must be set to localhost if it was defined with an IP or FQDN (c) Save and exit. 2. Start Firefox and enter the URL You will see a screen similar to the one below if Kerberos is working properly. Figure 10: Login screen Note Firefox must be configured to use Kerberos. To configure Firefox, follow the steps detailed in section Validate the Configuration If the login panel does not show the user login name, check the firewall settings and re-check the steps again for Kerberos Authentication in section Session Manager Configuration. Clicking on Connect will start the OVD session without the requirement to enter any further credentials. Page 26

27 6 ENTERPRISE DESKTOP CLIENT This section applies to the Enterprise Desktop Client (EDC) running on a Windows workstation. 6.1 WORKSTATION CONFIGURATION The user workstation (Windows) must be configured to allow SSO authentication into OVD. For this, a local or domain admin access to the workstation is required. Please note that domain GPO (Group Policy) may be used to automate the changes below in an enterprise environment ALLOWTGTSESSIONKEY There is a key called AllowTgtSessionkey in the Windows registry that controls whether a client application is allowed to decrypt the session key of a Kerberos Ticket Granting Ticket (TGT). This capability must be enabled. 1. Login as an admin user on the user workstation 2. Run the registry editor: regedit.exe 3. Create a registry entry as follows for Windows Vista, 7, 8 or 10. Create a DWORD entry with the name AllowTgtSessionKey and value 1 at HKEY_LOCAL_MACHINE\System\Curr Figure 11: Registry AllowTgtSessionKey Page 27

28 6.1.2 ENABLE DES Depending on your version of Windows, further settings may need to be applied as described in the Microsoft information page at These settings apply to Windows 7, Windows 8 and Windows 8 R2 and Windows Open an admin session on the workstation 2. Run gpedit.msc from a command prompt 3. Navigate Local Computer Security Computer Configuration Windows Settings Security Settings Local P o l i c i e s Security Options 4. Open the Network Security: Configure encryption types allowed for Kerberos setting and enable the following options: 5. Reboot the workstation 6.2 EDC Start the EDC and check Use Local credentials as shown in the figure below: Note: Clicking on Start should start the session without the need to enter any further credentials. Page 28

29 Figure 12: Network Security options Page 29

30 Figure 13: Inuvika OVD Enterprise Desktop Client 7 TROUBLESHOOTING 7.1 VALIDATE TEST CASE If the test from section Validate the Configuration does not work, check the items below first: 1. The server time on all servers is correctly synchronized and operational 2. Browser is set-up correctly 3. No firewall issues on the OSM node 4. Check that the auth_kerb module is enabled in Apache and ensure that the module is present and loaded. If the test still does not work, the Apache Logs and web-browser developer tools console can provide further information. A tool such as wireshark can be used to monitor the HTTP data stream (HTTP instead of HTTPS +wireshark) Enable the debug mode on the SM side by performing the following for the OVD session: Set-up the domain integration to Microsoft and internal session method Enable RemoteUser authentication as described in section 4.8 Kerberos and OVD Enable debug mode the the OSM and Apache logs Enable the SSO option in the OWA by editing the OWA config file at /etc/ovd/web_access/config.inc.php Use HTTPS (it should not be HTTP) 7.2 DNS ISSUES If the result from net ads join test failed as described in section Joining the Domain is as follows: Page 30

31 No DNS domain configured f o r osm. Unable to perform DNS Update. DNS update f a i l e d! Then the possible reasons are Invalid system hostname Invalid system network name in /etc/hosts Invalid system network name in the smb.conf configuration for the netbios name To resolve this issue, configure the system hostname and system network name for the Session Manager correctly and then remove the workstation from Active Directory and re-register it again. 7.3 CLOCK SKEW If there is an issue in authenticating OVD with Kerberos, turn on the Apache error logs and check the reports for a Clock skew too great error [ error ] [ c l i e n t ] krb5_get_init_creds_password ( ) f a i l e d : Clock \ skew too great This error indicates that the time on the Session Manager is not synchronized with the time on the Active Directory Domain Controller. Run the ntpdate command to fix the issue and check for the possible reasons why the ntp service is not synchronizing it. 7.4 OWA HTML5 If the HTML5 client is not working, open the developer tools console in Firefox and enter ovd.settings.http_provider and ensure it returns direct. Otherwise the about:config settings were not saved. Please refer to the screenshot below: 7.5 EDC Check your local credentials using the klist command and ensure that there is an HTTP/osm.test.demo ticket. 7.6 STATIC IP ADDRESS CONFIGURATION Generally, the DNS information is stored in the /etc/resolv.conf file. Sometimes, when you modify the file to have a specific DNS server IP address, it may not be persistent because of the system configuration and the modification may change when the system is rebooted or the network service is restarted. On Ubuntu and RHEL/CentOS systems, the DNS configuration can also be defined in the global network configuration. In turn, this will overwrite the DNS modification made in /etc/resolv.conf. For these reasons, it is recommended to modify the DNS information directly in the global network configuration file. For Ubuntu : Edit the /etc/network/interfaces to add Page 31

32 Figure 14: Developer tools console calling ovd.settings.http_provider dns nameservers dns search t e s t.demo For CentOS / RHEL 7 : Edit the file /etc/sysconfig/network-scripts/ifcfg-eth0 to add DNS1= SEARCH= t e s t.demo 7.7 APACHE GROUP The system default group used by Apache is : For Ubuntu: www-data For CentOS / RHEL 7: apache If for some reason the system overrides the system default value or if you want to check it, the following command line will give you the group name used by apache on your system: For Ubuntu egrep w color=auto '^Group ' R / etc / apache2 / egrep w color=auto 'APACHE_RUN_GROUP' / etc / apache2 / envvars For CentOS / RHEL 7 grep E '^Group ' / etc / httpd / conf / httpd. conf Page 32