Even if SSO authentication was set up as described in this document, there can nevertheless be occasions when logging on with SSO does not work. In this case, double-check the following settings.

Checking Server-Side Settings

  • Copy the keytab file created on the domain server to the engineering server and activate it with the following command:

/usr/share/viewpoint/bin/viewpoint-msad.sh set enabled=true principal=HTTP/[server hostname].[domain]@[realm] suffix=@[realm] keytab=[path to created .keytab]

Principal parameter

The principal parameter is derived from the parameters resulting from the configuration of the MSAD server. For more information refer to: Creating the Keytab File. The hostname of the Siveillance Control server, the domain name, the realm name (which is often identical with the domain name).

The format is always defined as follows: HTTP/[hostname].[domainname]@[realmname]

Suffix parameter

The suffix parameter is always the part at the end of the principal parameter that starts with @[Realmname].

For example:

/usr/share/viewpoint/bin/viewpoint-msad.sh set enabled=true principal=HTTP/tomdomain.siemens.com@siemens.com suffix=@siemens.com keytab=/etc/viewpoint/default.keytab

  • Check that SSO is correctly installed on the server by entering the following command:
    /usr/share/viewpoint/bin/viewpoint-msad.sh show
  • The configuration of the MSAD settings is displayed.

Authentication with MSAD enabled:

enabled: true

principal: HTTP/ vp-server-eng.bt.mchp.intern@bt.mchp.intern

suffix: @bt.mchp.intern

keytab: /etc/viewpoint/vp-server-eng.keytab

  • Check the following:
  • enabled is true.
  • The principal name matches the name configured in the MSAD server.
  • No warning is displayed. Only then will the keytab file be configured correctly for the current server.

Checking Browser Settings

Internet Explorer: Activate Windows Authentication

  1. Activate the Windows authentication in the Internet Explorer by selecting Tools > Internet Options > Advanced > Settings > Security.
  1. Restart the computer.

 

Internet Explorer: Log in Automatically with User Name and Password

To avoid unnecessary password prompts, you can set up the SSO login in the browser as a standard procedure.

  1. Select Tools > Internet Options > Security > [zone_of_siveillancecontrol server] and click Custom Level.
  1. In the Security Settings, navigate to User Authentication > Logon.
  1. Select the Automatic logon with current user name and password option.

 

Firefox: Setting the Hostname as Trusted URL

If Firefox is used as the browser, the hostname of the Siveillance Control server must be registered as a trusted URL.

  1. Enter about:config in the address bar.
  1. Enter trusted in the Search field.
  1. Navigate to network.negociate-auth-trusted-uris and click on the Edit button.
  1. Enter the hostname.
  1. Click on the Save button.

Checking Client-Side Settings

If SSO authentication is still not working, check the following points in the client:

  1. Check if the browser is configured as described in Checking Browser Settings.
  1. Use ping to check if the MSAD server and the Siveillance Control server can be accessed from the client.
  1. Make sure that the name of the Siveillance Control server is not entered in the file in the path C:\Windows\System32\drivers\etc\hosts on the client. Otherwise, the IP address of the Siveillance Control server may not be resolved using DNS, but rather statically using the value in the host file, which leads to problems in practice.
  1. Make sure that nslookup provides the correct DNS resolution for the Siveillance Control server:
  1. Make sure that the established IP address and the name are correct.
  1. Make sure that the system time on the client does not differ from the system time on the MSAD server and the Siveillance Control server by more than one minute. A reasonable solution is to use an NTP server to set up automatic time synchronization on the Siveillance Control server.

Adjusting the MSAD Server

If the previous steps do not lead to successful SSO authentication, adjust the MSAD Server.

  1. Delete all entries for the Siveillance Control server in the Active Directory.
  1. Recreate the entries.
  1. Regenerate the keytab file.
  1. Copy the keytab file to the Siveillance Control server.