The authentication via Single Sign On (SSO) is well suited for an automated sign on to i-doit within an intranet.
Requirements and Assumptions
The following conditions are the basis of this article:
- i-doit is installed on a GNU/Linux system
- An Active Directory (AD) on Windows Server 2008/2012 is used for the authentication.
This article describes how Single Sign On (SSO) is set up in an Apache web server with
Special attention needs to be paid to upper and lower case letters in the configuration.
Configure Active Directory (AD)
In AD a user is generated for the SSO access. Example:
- Server name of i-doit:
- AD domain:
- SSO user:
A keytab file is generated on an AD domain controller using the admin user with help of the ktpass utilities.
krb5.keytab file is then copied to the i-doit server at
Active Directory Users and Computers is opened (
Advanced Features option is activated. Now the SSO user object is opened. Search for the values
userPrincipalName and servicePrincipalName in the
Attribute Editor tab. In both cases exactly one entry with the value
HTTP/idoit.mydomain.local needs to be set.
Configure Apache Webserver
auth_kerb is required for the Apache web server.
Now the configuration for Kerberos will be written (replace
dc.mydomain.local by the domain controller):
Execute the following command to test the configuration:
The password of the SSO user is requested. With the command
you can check whether or not a valid ticket exists.
Subsequently, the Apache configuration for the VHost at which i-doit is accessible is supplemented within the
In order to apply the changes the Apache web server needs to be restarted:
From version 1.5 on SSO can be configured via the web GUI of i-doit. The corresponding settings can be found at
Administration → System settings. There
SSO needs to be activated.
Browser Client-side Configuration
Lastly, each browser needs to be configured to automatically use SSO.
Microsoft Internet Explorer (IE)
The i-doit server needs to be added to the local intranet sites in the IE settings. After this, the item
Automatic logon with current username and password has to be enabled under
User Authentication within the
Custom level option. Furthermore, make sure that you activate the option
Integrated Windowa authentication in the
Advanced tab of the
Mozilla Firefox and Google Chrome
SSO is also possible for these browsers. Extensive information about the configuration can be found on the internet. You can find an example for Firefox here.
Should you have problems regarding the authentication the following questions and hints may be of help:
- Compare the time settings in Linux and Windows DC. Are they the same?
- In most cases the server is only accessible via the full FQDN
- Does the i-doit server have access to the domain controller? Is there a firewall between these two?
- Is the SSO domain user unlocked?
- Can the DC be resolved per DNS from the i-doit server?
- Does the web server have read permission for the