Secure Global Desktop Administration Guide > Users and authentication > Enabling the Active Directory login authority

Enabling the Active Directory login authority

The Active Directory login authority works by authenticating users against a Key Distribution Center (KDC) for a domain and then generating users' webtops using LDAP searches of an Active Directory server. To enable the Active Directory login authority, you need to:

Once the Active Directory login authority is enabled, users can log in to Secure Global Desktop using their user principal name. They then receive the webtop that has been configured for them using:

Configuring Kerberos authentication

To configure Kerberos authentication, follow this process for each Secure Global Desktop server in the array:

  1. Ensure the time on the Secure Global Desktop server is synchronized with the KDC servers in the domains.
  2. Stop the Secure Global Desktop server, tarantella stop.
  3. Create or edit the Kerberos configuration file.
  4. Start the Secure Global Desktop server, tarantella start.

Synchronizing time

The synchronized time between the KDC and the Secure Global Desktop server must be within the Maximum tolerance for computer clock synchronization defined for the Kerberos security policy and the Default domain security policy on the Windows 2000/2003 server.

Kerberos configuration file

The Kerberos configuration file (krb5.conf) specifies which KDC servers Secure Global Desktop authenticates against for a particular domain.

You can either:

The configuration file contains several sections which control Kerberos authentication. As a minimum, the file must contain the following sections:

For example:

[libdefaults]
default_realm = INDIGO-INSURANCE.COM
default_checksum = rsa-md5

[realms]
INDIGO-INSURANCE.COM = {
  kdc = melbourne.indigo-insurance.com
  }
EAST.INDIGO-INSURANCE.COM = {
  kdc = ad01.east.indigo-insurance.com
  kdc = ad02.east.indigo-insurance.com
  }
WEST.INDIGO-INSURANCE.COM = {
  kdc = ad01.west.indigo-insurance.com
  }
  
[domain_realm]
  indigo-insurance.com = INDIGO-INSURANCE.COM
  .east.indigo-insurance.com = EAST.INDIGO-INSURANCE.COM
  east.indigo-insurance.com = EAST.INDIGO-INSURANCE.COM
  .west.indigo-insurance.com = WEST.INDIGO-INSURANCE.COM
  west.indigo-insurance.com = WEST.INDIGO-INSURANCE.COM

Password expiry

Secure Global Desktop can be configured to prompt a user for a new password if their password has expired. To be able to do this:

The libkrb5.so library is usually available on Linux systems. On Solaris, you may have to install it.

On each member of the array, edit the Kerberos configuration file and for each realm add:

For example:

EAST.INDIGO-INSURANCE.COM = {
  kdc = ad01.east.indigo-insurance.com
  kdc = ad02.east.indigo-insurance.com
  admin_server = ad01.east.indigo-insurance.com
  kpasswd_protocol = SET_CHANGE
  }

TCP/UDP preference configuration

When sending messages to the KDC or the Kerberos administration server, Secure Global Desktop uses either the UDP or TCP protocols. The protocol used is determined by the udp_preference_limit line in the [libdefaults] section of the Kerberos configuration file. This line sets the maximum size (in bytes) for packets that can be sent using UDP. If the message is larger than this size, TCP is used. If the KDC or administration server indicates that the package is too big, TCP is used instead. To always use TCP, use udp_preference_limit = 1.

KDC timeout

You can configure a KDC timeout in the event of a failure in the authentication process. The KDC timeout controls how long Secure Global Desktop waits for a reply from a KDC and how many times it tries to contact each KDC.

To set the KDC timeout, add the following lines to the [libdefaults] section of the Kerberos configuration file:

kdc_timeout = time
max_retries = number

The kdc_timeout sets the maximum number milliseconds to wait for a reply from a KDC. The max_retries is the maximum number of times each KDC is tried. The KDCs for each realm are tried in the order they are listed in the [realms] section of the Kerberos configuration file.

If Secure Global Desktop can't contact any KDCs for the user's realm, the authentication phase will fail.

Configuring the LDAP search and default domain details

  1. In Array Manager, open Secure Global Desktop Login properties.
  2. Check the Active Directory login authority box.
  3. In the URL field, enter the name of an Active Directory domain, for example ad://east.indigo-insurance.com.
  4. In the Username and Password fields, enter the details of a user that has privileges to search Active Directory.
  5. In the Base Domain and Default Domain fields, enter the domains you want Secure Global Desktop to use when users enter incomplete domain information when they log in.
  6. Click Apply.

LDAP timeouts

You can configure two LDAP timeouts in the event that the LDAP searches of an Active Directory server fail.

The LDAP discovery timeout controls how long Secure Global Desktop waits for an Active Directory server to respond to the initial contact request. The default is 30 seconds. To change this timeout, run the following command:

tarantella config edit --tarantella-config-ldap-discovery-timeout secs

The LDAP timeout controls how long Secure Global Desktop waits for an Active Directory server to respond to LDAP operations, such as requests for data. The default is 30 seconds. To change this timeout, run the following command:

tarantella config edit --tarantella-config-ldap-timeout secs

With both timeouts, Secure Global Desktop makes two attempts to contact the Active Directory server. If there is no response, Secure Global Desktop tries another Active Directory server. The list of Active Directory servers for a domain is obtained from the Global Catalog. If all Active Directory servers time out, webtop content can't be generated.

LDAP cache

Secure Global Desktop caches the LDAP data it collects from Active Directory. If you find that Secure Global Desktop is not detecting changes, you can manually flush the cached data with the tarantella cache command.

Related topics