Installation and Maintenance

Concept of this configuration

This chapter describes a configuration of login processes to have a true single sign on solution for internal clients. This is achieved by combining Apache-Kerberos login and LDAP (described in the companion chapter).
The Steps were tested in an environment using Microsoft Active Directory ® running on the 2008r2 server version as the Kerberos database.

  • Clients on the internal network can login without entering credentials to the ILIAS site.
  • External access (or access from internal clients that arre not in the Kerberos database) is granted using the same credentials as for internal systems, so users only have to memorize one account name and password.
The figure below illustrates this setup. Black Arrows indicate exchange of Kerberos data, red lines the flow of LDAP information. The way the external user authenticates to the external client (blue) is irrelevant.

Login layout

The steps needed to successfully configure this are:

  • Install Kerberos to the basic system
  • Understand and generate credential files for the webserver ("Keytab")
  • Adjust the Apache site configuration to use Kerberos
  • Configure ILIAS login settings
  • Test the configuration
At some points there are several ways to configure services and generate the components needed.
As a recommendation, configure the login to use Kerberos with the "Negotiate" method for a true single sign on (no credentials needed for internal users). For any other users do not use Kerberos as the login method, but rely on LDAP configured to use the same server as Kerberos. This gives you a fallback solution for Kerberos problems without double accounts for users.
For clarity reasons, this chapter describes a single way for the recommended configuration. Hints for alternatives (useful e.g. for troubleshooting and testing) are given in additional sections.
 
From my understanding of the ILIAS documentation, Apache authentication should be automatically called when users log into ILIAS. This didn't work for my installations, so a little workaround was used by calling ILIAS from a different URL. If there is a method to have ILIAS directly call Apache authentication, I would like to learn about this and to update the appropriate sections (Apache site and ILIAS settings).
 
To learn about Kerberos Authentication, Variables and Headers a simple website that uses phpinfo() and Kerberos login protection gave me a lot of information.



No comment has been posted yet.