Single sign-on "How To" Guide

Background Information Identity management is the latest buzzword in IT-speak for systems that manage information about users (identity), provide mechanisms for them to prove who they are (authentication), and provide mechanisms to give them access to specific services based on their identity (authorization). From an end-user standpoint, most of the configuration steps necessary to access CGLAUTH have to do with the authentication portion. The CGLAUTH authentication environment supported by the Computer Graphics Laboratory and SACS depends primarily on a technology known as Kerberos, which was developed by MIT and is supported by most PC and server vendors. Our server implementation uses the official MIT open source release, but we use standard client components whenever possible to make things easier for our end users. The main Kerberos server program is called a Key Distribution Center (KDC). The idea is that this server provides you "keys" to unlock various services, such as login.

First Steps

All of the platform-specific configuration instructions below assume that you already have an account for either the RBVI (Resource for Biocomputing, Visualization, and Informatics) resource or SACS (Sequence Analysis Consulting Service), which are the two entities hosted by CGL. If you do not have an RBVI or SACS account, you will need to obtain one before attempting to configure your system. RBVI computer accounts are available to any researcher with a legimate scientific need for access to the software tools we have available or the various databases we maintain; for additional information on obtaining an RBVI account see the RBVI Resource User's Guide. SACS accounts are available to all SACS subscribers. Subscriptions are available for as little as $100/month for an entire laboratory, which includes access to CGL resources, SACS-licensed software and resources, a shared disk repository, and a laboratory web site. More information on SACS can be obtained from the SACS web site.

Once you have your account, you must use the web-based password change page to set your CGLAUTH password. Once your CGLAUTH password is set, you may use it for all CGL resources including socrates login, E-Mail access, web authentication, and shared disk resources (Samba). You may also use your CGLAUTH password to set up single sign-on for your Windows PC, Macintosh (Mac OS X), or Linux PC.

If you have any problems or questions, you can send e-mail to kerberos-help@cgl.ucsf.edu and we will try to assist you.

Single Sign-on for Macintosh

There are differences in behavior between the Jaguar (MacOS 10.3), Tiger (MacOS 10.4), and Leopard (MacOS 10.5) releases as far as Kerberos is concerned. The Tiger and Leopard releases provide a number of additional Kerberized utilies and has done a nice job of integrating Kerberos to a greater extent. Unfortunately, early Tiger releases also introduced a bug where the fallback functionality, which allows authentication against a local password if Kerberos authentication fails, no longer works. As a result, CGLAUTH only supports Tiger release 10.4.2 or later.

JAGUAR (10.3): Configure workstation (you must have administrator priviledges and a 'root' account to do this)
1. Log into your Macintosh as root. If you are familiar with the MacOS X shell commands, this can also be done from a shell prompt
2. Install or replace /Library/Preferences/edu.mit.Kerberos with the CGL.UCSF.EDU version
3. Replace /etc/authorization with the Kerberos version. I recommend making a copy of this file before overwriting it. Note that by default, the browser will save this file as an XML file (.xml), so its type will need to be changed, or it will need to be renamed to remove the ".xml".
4. If desired, configure the host principals (this will need to be done by a Kerberos administrator, as root on the Macintosh and only needs to be done if you wish to remotely log in to your Macintosh):
  1. kadmin
  2. kadmin: addprinc -randkey -policy hosts host/workstation_name
  3. kadmin: ktadd host/workstation_name (where workstation_name is the fully qualified domain name of your mac)
5. If desired, enable SSO on Firefox. Unfortunately, Safari on JAGUAR does not support SSO.
TIGER (10.4.2): Configure workstation (you must have administrator priviledges to do this)
1. Log into your Macintosh as root. If you are familiar with the MacOS X shell commands, this can also be done from a shell prompt
2. Replace /Library/Preferences/edu.mit.Kerberos with the CGL.UCSF.EDU version
3. Replace /etc/authorization with the Kerberos version. I recommend making a copy of this file before overwriting it. Note that by default, the browser will save this file as an XML file (.xml), so its type will need to be changed, or it will need to be renamed to remove the ".xml".
4. If desired, configure the host principals (this will need to be done by a Kerberos administrator, as root on the Macintosh and only needs to be done if you wish to remotely log in to your Macintosh):
  1. kadmin -O
  2. kadmin: addprinc -randkey -policy hosts host/workstation_name
  3. kadmin: ktadd host/workstation_name (where workstation_name is the fully qualified domain name of your mac)
5. If desired, enable SSO on Firefox. Unfortunately, Safari on TIGER does not support SSO, however Apple has provided the infrastructure, but not the interface, so we hope this feature to be available in a future update to Safari.
LEOPARD (10.5.4): Configure workstation (you must have administrator priviledges to do this)
1. Log into your Macintosh as root. If you are familiar with the MacOS X shell commands, this can also be done from a shell prompt
2. Copy the CGL.UCSF.EDU version of the Kerberos configuration file to /Library/Preferences/edu.mit.Kerberos
3. Replace /etc/authorization with the Kerberos version. I recommend making a copy of this file before overwriting it. Note that by default, the browser will save this file as an XML file (.xml), so its type will need to be changed, or it will need to be renamed to remove the ".xml".
4. If desired, configure the host principals (this will need to be done by a Kerberos administrator, as root on the Macintosh and only needs to be done if you wish to remotely log in to your Macintosh):
  1. kadmin -O
  2. kadmin: addprinc -randkey -policy hosts host/workstation_name
  3. kadmin: ktadd host/workstation_name (where workstation_name is the fully qualified domain name of your mac)
5. If desired, enable SSO on Firefox. Unfortunately, Safari does not support SSO, however Apple has provided the infrastructure, but not the interface, so we hope this feature to be available in a future update to Safari.

Single Sign-on for Windows

Windows 2000 and later releases (including Windows XP, but not tested on Vista) use Kerberos authentication natively, but it must be configured to use a shared Kerberos infrastructure such as CGLAUTH as opposed to a native Windows Domain. The steps to do this are outlined below:

You will need two important utilities that can be found on the Microsoft Support Tools CD (or download them from CGL: ksetup.exe and ktpass.exe
Configure the KDC (this will need to be done by a Kerberos administrator on a UNIX (or MacOS X) host)

kadmin
addprinc -pw password -policy hosts -e des-cbc-crc:normal host/FQDNworkstation_name

Configure workstation (you must have administrator priviledges to do this)
1. ksetup /SetRealm CGL.UCSF.EDU
2. ksetup /AddKDC CGL.UCSF.EDU kdc-1.cgl.ucsf.edu
3. ksetup /AddKDC CGL.UCSF.EDU kdc-2.cgl.ucsf.edu
4. Set the local machine password
  1. ksetup /SetComputerPassword password (must match password above)
5. Set up user mapping
  1. ksetup /mapuser * * (can also map user@CGL.UCSF.EDU to user
6. Set up delegation
  1. ksetup /SetRealmFlags CGL.UCSF.EDU delegate
Reboot
At this point, you will be able to login as user@CGL.UCSF.EDU using your Kerberos password. You may want to download the Kerberos-enabled version of PuTTY to get a version of SSH that will use your Kerberos key.
If desired, enable SSO on Firefox, or Internet Explorer.

Single Sign-on for Linux

Configure the KDC (this will need to be done by a Kerberos administrator)

kadmin
addprinc -randkey -policy hosts host/workstation_name

Configure workstation (you must have root priviledges to do this)
1. Server Settings --> Authentication (or /usr/bin/system-config-authentication)
2. Under Authentication TAB
  1. Enable Kerberos Support
    1. Check 'Enable Kerberos Support'
    2. Configure Kerberos...
      - Realm --> CGL.UCSF.EDU
      - KDCs --> kdc-1.cgl.ucsf.edu:88,kdc-2.cgl.ucsf.edu:88
      - Admin Servers --> kdc-1.cgl.ucsf.edu:749
3. Under User Information TAB
  1. Enable LDAP Support (if desired)
4. Download /etc/krb5.conf
5. Add host key (requires Kerberos administrator & root):
  1. kadmin
  2. ktadd -k /etc/krb5.keytab host/workstation_name
6. Click OK and reboot
Enable SSO on Firefox
Configure SSH

Enabling Firefox for Single Sign-on

The Firefox web browser can support single sign-on to the CGL web servers on WindowsXP, Linux, and MacOS X.

Open up Firefox, and type in "about:config" to the URL bar. This will display a large number of entries representing all of the configuration information in Firefox.
Go to the Preference Name "network.negotiate-auth.trusted-uris"

Set the Value to "https://" by Double-clicking the entry and typing "https://" into the dialog

Now go to the Preference Name "network.negotiate-auth.delegation-uris"

Set the Value to "https://" by Double-clicking the entry and typing "https://" into the dialog

Enabling Internet Explorer for Single Sign-on

Internet Explorer can support single sign-on to the CGL web servers on a WindowsXP machine when the machine has been configured to support Kerberos and the user has logged in as user@CGL.UCSF.EDU.

Open up Internet Explorer, and go to Tools→Internet Options.
Select the Security tab, which provides information on which sites you want to trust.
Select "Local intranet"
Click on the "Sites" button.
1. All check boxes should be selected.
2. Click on "Advanced..."
  1. Add the list of sites you want to enable for single sign on. For example:
    - https://www.sacs.ucsf.edu
    - https://www.cgl.ucsf.edu
    - https://sfld.rbvi.ucsf.edu
  2. Click "OK"
3. Click "OK"
Click "OK"