How do I set up Kerberos authentication for single sign-on (SSO) in Portfolio 2016?
To configure Portfolio 2016 for single-sign-on for connections to Portfolio Web, the following must be true:
If these conditions are met then a user can connect to Portfolio with a supported web browser and Portfolio Web will use Kerberos to log in, bypassing the login window.
Kerberos requires a service principal name (SPN) for Portfolio; in Active Directory, SPNs are tied to a user account or service account. You can use the same Active Directory account that the Portfolio services run under. In order for Kerberos authentication to work, the service account must have a non-expiring password.
To create an SPN for Portfolio, you must know the fully-qualified domain name (FQDN) for the server Portfolio runs on (portfolio.example.org). This cannot be an alias; if you use nslookup on the server’s IP address, it should return the canonical name for the server.
The setspn command is used on the domain controller to create the SPN. The examples below will use a service account name of “EXAMPLE\portfoliosvc” and a FQDN of “portfolio.example.org”
setspn -A HTTP/portfolio.example.org EXAMPLE\portofliosvc
We support using Kerberos authentication in the following browsers:
If you are logged in as an administrator on your Mac, you can create a preferences .plist file to specify the Portfolio server for single sign-on in Google Chrome.
Open the Terminal application. Enter the following command and press Enter; replace “portfolio.example.org” with the FQDN for your Portfolio server.
sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist "portfolio.example.org"
Enter your password when prompted.
If you are not an administrator, or want to create a .plist file to be deployed to multiple machines, the following command will create the file on your Desktop. You can place it into /Library/Preferences/ or use Remote Desktop or similar network management tool to push the configuration file to more than one Mac.
defaults write ~/Desktop/com.google.Chrome.plist AuthServerWhitelist "portfolio.example.org"
Once the file has been placed in /Library/Preferences/, restart Chrome.
You can create a registry entry to specify the Portfolio server for single sign-on in Google Chrome.
Open a Command Prompt with administrator privileges. Enter the following command and press Enter; replace “portfolio.example.org” with the FQDN for your Portfolio server.
reg add HKLM\Software\Policies\Google\Chrome\ /v AuthServerWhitelist /t REG_SZ /d "portfolio.example.org"
You can push the same registry key for Windows PCs on your domain using Group Policy. Once the registry setting takes effect, restart Chrome.
Open a browser window. In the address bar, type
about:config and then hit Enter.
Firefox will display a warning similar to the one below. Click “I accept the risk”.
In the search text box, type “network.negotiate-auth” and hit Enter.
Open the Control Panel and select Internet Options. In Internet Properties, click on the Security tab and select the “Local Intranet” zone.
Click the “Sites” button. If “Include all sites that bypass the proxy server” is unchecked, uncheck “Automatically detect intranet network” and click the checkbox.
Click the Advanced button. Enter the FQDN for the Portfolio server and click Add, then click Close. Close the Internet Properties dialog.
No special configuration is needed for Safari.