How do I set up Kerberos authentication for single sign-on (SSO) in Portfolio 2016?
To configure Portfolio 2016 for single-sign-on for connections to Portfolio Web, the following must be true:
- Portfolio is installed on a supported version of Microsoft Windows Server
- You have a Portfolio SSO license key and have entered it into the Licenses pane of Portfolio Administration
- Portfolio is bound to an Active Directory domain with Kerberos v5 enabled and configured
- The Portfolio user account is an Active Directory user
- The user is logged into a computer that is bound to the Active Directory domain with the same user account
If these conditions are met then a user can connect to Portfolio with a supported web browser and Portfolio Web will use Kerberos to log in, bypassing the login window.
Setting up Kerberos authentication
Create a service principal name
Kerberos requires a service principal name (SPN) for Portfolio; in Active Directory, SPNs are tied to a user account or service account. You can use the same Active Directory account that the Portfolio services run under. In order for Kerberos authentication to work, the service account must have a non-expiring password.
To create an SPN for Portfolio, you must know the fully-qualified domain name (FQDN) for the server Portfolio runs on (portfolio.example.org). This cannot be an alias; if you use nslookup on the server’s IP address, it should return the canonical name for the server.
The setspn command is used on the domain controller to create the SPN. The examples below will use a service account name of “EXAMPLE\portfoliosvc” and a FQDN of “portfolio.example.org”
- Open a Command Prompt window
- Enter the following command and press Enter:
setspn -A HTTP/portfolio.example.org EXAMPLE\portofliosvc
Configure Portfolio for single sign-on
- Log into Portfolio Administration
- Go to Global Settings > Single Sign-on Credentials
- Enter the username and password for the service account
- Click Apply
Configure web browsers to use single sign-on
We support using Kerberos authentication in the following browsers:
- Google Chrome for Mac OS and Windows
- Mozilla Firefox for Mac OS and Windows
- Safari for Mac OS
- Internet Explorer for Windows (versions 9 and 10 only)
- Microsoft Edge
Google Chrome for Mac OS
If you are logged in as an administrator on your Mac, you can create a preferences .plist file to specify the Portfolio server for single sign-on in Google Chrome.
Open the Terminal application. Enter the following command and press Enter; replace “portfolio.example.org” with the FQDN for your Portfolio server.
sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist "portfolio.example.org"
Enter your password when prompted.
If you are not an administrator, or want to create a .plist file to be deployed to multiple machines, the following command will create the file on your Desktop. You can place it into /Library/Preferences/ or use Remote Desktop or similar network management tool to push the configuration file to more than one Mac.
defaults write ~/Desktop/com.google.Chrome.plist AuthServerWhitelist "portfolio.example.org"
Once the file has been placed in /Library/Preferences/, restart Chrome.
Google Chrome for Windows
You can create a registry entry to specify the Portfolio server for single sign-on in Google Chrome.
Open a Command Prompt with administrator privileges. Enter the following command and press Enter; replace “portfolio.example.org” with the FQDN for your Portfolio server.
reg add HKLM\Software\Policies\Google\Chrome\ /v AuthServerWhitelist /t REG_SZ /d "portfolio.example.org"
You can push the same registry key for Windows PCs on your domain using Group Policy. Once the registry setting takes effect, restart Chrome.
Firefox for Mac OS and Windows
Open a browser window. In the address bar, type
about:config and then hit Enter.
Firefox will display a warning similar to the one below. Click “I accept the risk”.
In the search text box, type “network.negotiate-auth” and hit Enter.
- Right-click “network.negotiate-auth.allow-non-fqdn” and select Toggle to change the value to true.
- Right-click “network.negotiate-auth.trusted-uris” and enter the FQDN for the Portfolio server.
Internet Explorer and Microsoft Edge
Open the Control Panel and select Internet Options. In Internet Properties, click on the Security tab and select the “Local Intranet” zone.
Click the “Sites” button. If “Include all sites that bypass the proxy server” is unchecked, uncheck “Automatically detect intranet network” and click the checkbox.
Click the Advanced button. Enter the FQDN for the Portfolio server and click Add, then click Close. Close the Internet Properties dialog.
No special configuration is needed for Safari.