SSO or Sigle Sign On with Active Directory

[Thierry61]

Hello,

We want to know if GENESYS 8.5 support SSO with Microsoft Active Directory, and  if a solution exist can you explain how GENESYS work for this SSO.

We ask for this problem because on this forum the last post on this subject dated from 2012.

Thank's for you aswer.

Best Regards

[Kubig]

Ask Genesys directly.

[nonny]

From what i recall yes, requires kerberos.

Sent from my SM-N9005 using Tapatalk

[Dionysis]

Workspace 8.5 allows kerberos authentication, but it's only Workspace that I'm aware of (not GA, GAX, Pulse, CCPulse, IRD etc).

[Thierry61]

Thank you for your help,
In fact we have looking for in the GENESYS documentation and we had find this :

Mapping of SPN "confserver/somehost" to rootUser2:
setspn -A confserver/somehost rootUser2

But we don't find what's "somehost" meaning : is it our physical name ( AD server or Application server ) or  Genesys name server (on the application) or ?

Thank you for aswer,

[siralos]

I used the hostname of the server where I installed the Genesys Config Primary Server, and finally got it running. However I can not say if this is a MUST or if there are other choices available.
You can then use the same SPN and same keytab file for both confserv and confserv_ha.
SPN seems to be case sensitive, so use exactly the same upper/lower case letters.

[giggles]

Just got this working in my lab so here are the steps:

Create AD accounts for Configuration Server user and Genesys User

svc_genesys / password1 (non-expiring, user cannot change, Domain User)
user1 / password1 (normal user domain account)

THE FOLLOWING IS DONE ON THE CONFIGURATION SERVER HOST FOR EASE OF DEPLOYMENT:
Environment Details:
Domain Controller = 10.0.0.80 (w2k12dc1.mylab.co.nz)
Domain = MYLAB.CO.NZ
ConfServ Host = w2k12gsys1.mylab.co.nz
SPN = confserver/w2k12gsys1
Service AD User = svc_genesys
Agent AD User = user1

Map the Service Principal Name (SPN) to the AD Configuration Server user

Open Windows Powershell as Domain Admin and run the following commands:

setspn -S confserver/w2k12gsys1 svc_genesys (-S checks to see if the SPN already exists)
setspn -S confserver/w2k12gsys1.mylab.co.nz svc_genesys

Create the Kerberos Keytab file:
(note: the uppercase letters for the domain - important)

ktpass /princ confserver/w2k12gsys1@MYLAB.CO.NZ /mapuser svc_genesys@MYLAB.CO.NZ /pass password1 /out c:\genesys-rootdomain.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

Move the output file c:\genesys-rootdomain.keytab to the installation root directory for Configuration Server (eg. C:\Program Files\GCTI\ConfigServer)

Install MIT Kerberos version kfw-4.0.1 for Windows on the Configuration Server host.
Edit the file C:\ProgramData\MIT\krb5.ini to set the libdefaults & Realm. The logging section is optional.
(note: the uppercase letters for the domain - important)

eg.
[libdefaults]
default_realm = MYLAB.CO.NZ
[realms]
MYLAB.CO.NZ = {
kdc = 10.0.0.80
admin_server = 10.0.0.80
}
[logging]
kdc = FILE:kdc.log



Edit the InteractionWorkspace.exe.config file

In CME make sure that the Genesys Agent has external authentication set to be their AD login name (eg. user1)

Change the following line:
    <add key="login.kerberos.service-principal-name" value="confserver/w2k12gsys1" />
           
You should now be able to open WDE without logging in on a machine where 'mylab\user1' has already logged in to Windows.

[siralos]

Thanks, great work !
To complete this How-To guide, may I add one more step:

In Configuration Server ini file confserv.cfg add the following section and restart Config Server
[authentication]
library=gauth_kerberos
SPN=confserver/w2k12gsys1
realm=MYLAB.CO.NZ
keytab=genesys-rootdomain.keytab

[Ram]

Hi,

I went through this post for configuring SSO for WDE.  It is very helpful. 

I have a question:  Can we configure both LDAP and Kerberos authentication in Configuration Server.  External Authentication manual from genesys says
"[b]Configuration Server and Configuration Server Proxy support the use of the Kerberos authentication protocol for user authentication in Genesys user interface applications[/b]".  But not mentioned the list of user interfaces.

In my environment, we have configured LDAP for CME, CCPulse, IRD, GA  and additionally we need to configure Kerberos for WDE.  But document did not say anything about configuring both external authentication in same server.

[nonny]

There's a thread somewhere on here with the steps someone went through recently to do this 

Sent from my SM-N9005 using Tapatalk

[siralos]

Kerberos is currently only supported in WDE and Platform SDK (if you develop own application).
You can configure both LDAP and Kerberos in the same Config Server/Proxy. I assume its working but you need to try. Deployment Guide only states "Kerberos runs independantly of Radius and LDAP".

[Ram]

Thank you Friends for the details.

[upk_singhm]

[quote author=giggles link=topic=9459.msg42983#msg42983 date=1460342823]
Just got this working in my lab so here are the steps:

Create AD accounts for Configuration Server user and Genesys User

svc_genesys / password1 (non-expiring, user cannot change, Domain User)
user1 / password1 (normal user domain account)

THE FOLLOWING IS DONE ON THE CONFIGURATION SERVER HOST FOR EASE OF DEPLOYMENT:
Environment Details:
Domain Controller = [b]10.0.0.80 (w2k12dc1.mylab.co.nz)[/b]
Domain = [b]MYLAB.CO.NZ[/b]
ConfServ Host = [b]w2k12gsys1.mylab.co.nz[/b]
SPN = confserver/w2k12gsys1
Service AD User = svc_genesys
Agent AD User = user1

Map the Service Principal Name (SPN) to the AD Configuration Server user

Open Windows Powershell as Domain Admin and run the following commands:

setspn -S confserver/w2k12gsys1 svc_genesys (-S checks to see if the SPN already exists)
setspn -S confserver/w2k12gsys1.mylab.co.nz svc_genesys

Create the Kerberos Keytab file:
(note: the uppercase letters for the domain - important)

ktpass /princ confserver/w2k12gsys1@MYLAB.CO.NZ /mapuser svc_genesys@MYLAB.CO.NZ /pass password1 /out c:\genesys-rootdomain.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

Move the output file c:\genesys-rootdomain.keytab to the installation root directory for Configuration Server (eg. C:\Program Files\GCTI\ConfigServer)

Install MIT Kerberos version kfw-4.0.1 for Windows on the Configuration Server host.
Edit the file C:\ProgramData\MIT\krb5.ini to set the libdefaults & Realm. The logging section is optional.
(note: the uppercase letters for the domain - important)

eg.
[libdefaults]
default_realm = MYLAB.CO.NZ
[realms]
MYLAB.CO.NZ = {
kdc = 10.0.0.80
admin_server = 10.0.0.80
}
[logging]
kdc = FILE:kdc.log



Edit the InteractionWorkspace.exe.config file

In CME make sure that the Genesys Agent has external authentication set to be their AD login name (eg. user1)

Change the following line:
    <add key="login.kerberos.service-principal-name" value="confserver/w2k12gsys1" />
           
You should now be able to open WDE without logging in on a machine where 'mylab\user1' has already logged in to Windows.
[/quote]

Exactly the kind of responses that one should be getting from this forum.

Giggles just one thing though I wanted to point out, I'm not sure if the highlighted IPs/Domain Names/Host names are real ones, but if they are, I will suggest to omit them from your future posts, for obvious reasons.

Thanks once again for such detailed response, keep up the good work.

[Ram]

Hi,

I'm getting "Can't create Kerberos ticket" error in WDE.  Below are the steps i followed

WebLink: http://web.mit.edu/kerberos/krb5-1.11/doc/admin/install_kdc.html#install-and-configure-the-master-kdc

Installed Kerberos and KDC server on Config Proxy (RHEL OS)
Updated Krb5.conf, kdc.conf,
Set Environment Variable for krb5.conf and kdc.conf
Added administrator in kadm5.acl
Created KDC database
Added SPN in KDC database
Copied "krb5.keytab" file to config proxy location
configured kerberos section under config proxy app obj
restarted config proxy

configured wde with SPN
I get authentication error while launching WDE from Windows 7

Can some one help me if i missed any process.  Please refer me a link where i can see solution for this issue.

[peters]

If you'd like to use Kerberos SSO with MS AD, and Config proxy / Config server are on RHEL Linux, it's sufficient to install standard packages:

krb5-libs
krb5-devel
krb5-workstation

and edit the /etc/krb5.conf.

You don't need to edit any other system variables or compile the MIT Kerberos from sources.

In my case I got an authentication error, the cause was, that the "svc_genesys" user didn't have the option "This account supports Kerberos AES 128bit support, This account supports Kerberos AES 256bit support" enabled.