SSO Usage

Version 2

    Setup

    To use SSO with Spark (as of subversion r8551), a few things need to be configured.

     

    At the login screen, click on 'Advanced' and go to the SSO tab.

     

     

     

    Click on 'Use Single Sign-On via GSSAP'.  If Spark reports what username it will use, this may be all you need to do.

     

     

     

    If Spark was not able to determine a username to use, click on Ok

    and exit Spark.  You will need to edit the spark.properties file.

     

     

     

    There are 4 "hidden" properties you can add/edit in this file:

     

     

     

    ssoMethod=string
    
    ssoRealm=string
    
    ssoKDC=string
    
    ssoAdv=boolean
    
    
    ssoMethod

    Set ssoMethod to one of file, dns or manual. If not specified, the

    default is OS dependent.  (On Windows its dns, on others its file)

     

    Set to file to use a krb5.conf or krb5.ini (OS dependent) to

    determine the realm and KDC information. file is recommended for Unix

    installations or when a complex realm setup is needed, and DNS is not

    configured.

     

     

     

    Set to dns to use DNS SRV records to determine the KDC information

    and TXT records to determine the realm. DNS is recommended for ease of

    administration, but requires additional setup from the default Windows

    AD DNS records.

     

     

     

    Set to manual to use the ssoRealm and ssoKDC fields.

     

     

     

    ssoRealm

    Set this to the name of the realm to use when ssoMethod is manual.

     

    ssoKDC

    Set this to the KDC to use when ssoMethod is manual.

     

    ssoAdv

    Set this to true to allow setting the above options on the SSO tab of the advanced settings in the GUI.  The default is false.

     

    krb5.conf / krb5.ini

    If you wish to use a krb5.conf or krb5.ini file, you can use the following example:

     

     [libdefaults]
    
         default_realm = EXAMPLE.COM
    
    
    
    [realms]
    
        EXAMPLE.COM {
    
            kdc = kdc.example.com
    
            kdc = backupkdc.example.com
    
            admin_server = kdc.example.com
    
            default_domain = example.com
    
        }
    
    
    
    [domain_realms]
    
        example.com = EXAMPLE.COM
    
        .example.com = EXAMPLE.COM
    
    
    
    

    This file should be placed in either /etc/krb5.conf or

    C:\Windows\krb5.ini or in your OS specific location.  For more details

    on this file syntax, see  [http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#confdoc]


    DNS Records

    To use DNS records, the following must be set up in your DNS zone:

     

    SRV record

    kerberos.udp.example.com  Should be a valid SRV record and point  to the KDC for your realm.

     

    TXT record

    _kerberos.example.com Should be a valid TXT record and contain the name of your Kerberos realm.

     

    Example:

     

     

     

    _kerberos._udp.example.com     7200 IN SRV 0 0 88 kdc.example.com.
    
    _kerberos._udp.example.com     7200 IN SRV 1 0 88 backupkdc.example.com.
    
    _kerberos.example.com
    
    

    Registry

    You need to modify the registry to allow exporting the TGT for SSO

    to work. Modifying your registry is dangerous- make sure you have

    proper backups before making any changes to your registry.

     

    Depending on the OS, the setting is in a different location:

     

     

     

    For Windows 2003 and Windows 2000 SP4:

     

     

     

    HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberosParameters
    
    
    
    Value Name: allowtgtsessionkey
    
    
    
    Value Type: REG_DWORD
    
    
    
    Value: 0x01 ( default is 0 )
    
    

    Here is the location of the registry setting on Windows XP SP2:

     

    HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberos
    
    
    
    Value Name: allowtgtsessionkey
    
    
    
    Value Type: REG_DWORD
    
    
    
    Value: 0x01