Single Sign-On Resource Page
The purpose of this forum post is to document methods, requirements, best practices, etc. regarding Single Sign-On implementation, together with arcplan Enterprise, in various environments and with various technologies (especially database technologies such as TM1, Oracle products, etc.). Accomplishing SSO seems to be a significant challenge in most cases, so if you can add value in any way to this discussion, or see corrections that should be made, please share your experience here.
Taking a look at SSO using Kerberos for general arcplan installations first... from what I can tell, the following requirements seem to be the basis for successful implementation:
- Internet Explorer must be configured to use Integrated Windows Authentication. (more information)
- IIS must be configured to use Integrated Windows Authentication. (more information - IIS 7)
- In Active Directory, check the option "trusted for delegation" for the user and/or machine account(s) running IIS and arcplan.
- In Active Directory, verify that the "Account is sensitive and cannot be delegated" check box is not selected for users who access the application.
- Configure the database connection files in arcplan for Integrated Windows Authentication. (more information)
- If the arcplan Java client is being used, the "Support Kerberos authentication in the Java client" box must be checked in the HTML Start Page dialog box. (more information)
- If the account running the arcplan server in NOT "local system", set up the SPNs for arcplan manually. You can check to see if the SPNs for arcplan are set correctly by consulting the arcserver log. (more information coming soon)
- Check the User Right Assignments under the Local Security Policies for the machine and ensure that the service account being used to log on the ArcPlan service is assigned to the two policies: Act as part of the Operating System and Impersonate a Client after Authentication. This change requires restarting the machine.
- If the web server and the arcplan server are on different machines, add the line "delegate=true" to the arcCGI.cfg file on the webserver.
- Verify that connecting database technologies are configured for Kerberos and have the appropriate SPNs.
DelegConfig is a helpful troubleshooting tool for Kerberos.
Fun With The Kerberos Delegation Web Site has some useful information.
Also see this documentation from John Herman.
The Microsoft article 929650 has more information on SPNs and also an extensive Kerberos checklist at the bottom of the page.
*The above information has been gathered from various sources, including an internal arcplan post from Alexandre LeBrun and arcplan Community post from John Herman.
- 3,515 views
- 2 versions
- 1 reply
- 3 followers
- Posted By:
- Daniel Emmons
- April 25, 2011
About this forum
- 38,565 views
- 292 topics
- 10 followers
Looking for something you can't find? Have a suggestion on how we can improve? We want to hear from you!