You have to configure the MSAD server to enable SSO.

Preparing the Windows DC/DNS Server

  • The standard Users OU is displayed.
  1. Create a Siveillance Control domain.
  1. Export the Siveillance Control user object as an LDIF file by performing the following command:
    ldifde -f exportuser.ldf -s [host] -d "cn=Users,
    dc=[context]" –l
    DistinguishedName,givenName,objectClass,sn,samAccountName,memberOf     –r
  • host: Hostname of the Windows DS Server.
  • context: Context in Active Directory, for example dc=bt.
  • samAccountName: The name of the newly created user, for example Siveillance Control.
  1. Create a System Users OU below the root domain.
  1. Enter all participating hosts in the Windows Server DNS.

Creating the Keytab File

With the script for creating the keytab files, you can automate the following tasks:

  • Creating the user object in the AD in the System Users OU for the respective Linux host.
  • Setting Service Principal Names (SPN) for the generated object.
  • Creating keytab files in the c:\temp directory.
  • Copy the following script to a text editor:

@REM "dryrun=@echo" activates dry-run mode
set dryrun=@echo
set dryrun=

set HOSTNAME=MHFR1113V-RT
@REM Case sensitivity may matter and must be observed.
set DOMAIN=bt.mchp.internal
set REALM=bt.mchp.internal
set FQHN=%HOSTNAME%.%DOMAIN%
@REM Important: The value of the SAMID parameter must not
be too long, otherwise: "The specified name has an
incorrect format for an account name"
set SAMID=Siemens_%HOSTNAME%
set DN="CN=%SAMID%,OU=System
Users,DC=bt,DC=mchp,DC=internal"
set PASSWORD=xyz

@REM Do not use port definitions in FQHN.
set SPN=HTTP/%FQHN%

set KTPASS_PRINCIPAL=%SPN%@%REALM%

@REM create user
%dryrun% dsadd user %DN% -samid %SAMID% -upn
"%SAMID%@%REALM%" -ln %SAMID% -pwd %PASSWORD% -mustchpwd no
-canchpwd no -pwdneverexpires yes -disabled no
@echo

@REM Add SPN
%dryrun% setspn -S %SPN% %SAMID%
@echo

@REM export keytab
%dryrun% if not exist "C:\temp" mkdir C:\temp
%dryrun% ktpass -out C:\temp\%HOSTNAME%.keytab –princ
%KTPASS_PRINCIPAL% -pass %PASSWORD% -ptype
KRB5_NT_PRINCIPAL -kvno 0
%dryrun% dir C:\temp\%HOSTNAME%.keytab

@REM exit /B
Pause

  1. Replace the following values:
  • hostname: Enter the hostname of the corresponding Linux host.
  • domain: Enter the FQDN of the domain.
  • realm: Enter the FQDN of the domain.
  • samid: Enter [prefix]-[hostname].
  • dn: Context in the AD where the objects are stored.
  • password: Assign a password.
  1. Save the script as .txt file.
  1. Change the extension to .bat.
  1. Open a terminal window on the Windows server as administrator.
  1. Perform the .bat file for every Linux host.
  • A user object with a name in the format [prefix]-[hostname] is created for each Siveillance Control server.
  • The keytab files [hostname of Siveillance Control server].keytab for the Siveillance Control servers are created in the c:\temp directory.
  1. For each Siveillance Control server, copy the created keytab file [hostname of Siveillance Control server].keytab from C:\temp\ on the Windows server to the directory /etc/viewpoint on the corresponding Siveillance Control server.

Time Server on the DC

The individual Siveillance Control components must use the same time setting. Since Windows clients, that are members of a domain, take their time from the DC, a time server should be referenced on the DC (w32tm /config /manualpeerlist: time server IP /synchromflgs:manual). The same applies for the Linux components of Siveillance Control.

Adapting the Siveillance Control Client Computer

You have to adapt the Siveillance Control client computer for the use of SSO.

  1. Add the W10 host (Siveillance Control client computer) to the Windows domain.
  1. Change the hostname to the name specified in the DNS entry.
  1. Enter a correct IP address of the DNS server. The IP address must match your Windows domain.
  1. Make sure that JRE >=1.8.0.301-b09 is installed on the W10 host. Compatibility with more recent versions is possible, but not guaranteed.

Importing the LDIF File

Before the SSO authentication can be used, you have to import the LDIF file with the MSAD users.

  1. Open the engineering client.
  1. Log on as local user.
  1. Make sure that the Use Windows session authentication check box is marked.
  1. Open the Engineering perspective.
  1. Click  Import Data.
  1. Select LDIF-Import.
  1. Select the import settings.
  1. Click Finish.

Adapting the Siveillance Control Server

  1. Change the hostname in the /etc/hostname file.
  1. Change the /etc/resolv.conf file.
  1. If the Siveillance Control server was installed with NetworkManager, the NetworkManager must also be used when changing the resolv.conf file (nmtui). Otherwise the resolv.conf file will be overwritten when the server is restarted.
  1. Adapt the /etc/hosts file.
  1. Enter a correct IP address of the DNS server. The IP address must match your Windows domain.
  1. If Siveillance Control is already installed on the server, make sure that new certificates are created and imported to all Windows clients.