Genesys CTI User Forum
Genesys CTI User Forum => Genesys CTI Technical Discussion => Topic started by: Thierry61 on March 30, 2016, 09:15:37 AM
-
Hello,
We want to know if GENESYS 8.5 support SSO with Microsoft Active Directory, and if a solution exist can you explain how GENESYS work for this SSO.
We ask for this problem because on this forum the last post on this subject dated from 2012.
Thank's for you aswer.
Best Regards
-
Ask Genesys directly.
-
From what i recall yes, requires kerberos.
Sent from my SM-N9005 using Tapatalk
-
Workspace 8.5 allows kerberos authentication, but it's only Workspace that I'm aware of (not GA, GAX, Pulse, CCPulse, IRD etc).
-
Thank you for your help,
In fact we have looking for in the GENESYS documentation and we had find this :
Mapping of SPN "confserver/somehost" to rootUser2:
setspn -A confserver/somehost rootUser2
But we don't find what's "somehost" meaning : is it our physical name ( AD server or Application server ) or Genesys name server (on the application) or ?
Thank you for aswer,
-
I used the hostname of the server where I installed the Genesys Config Primary Server, and finally got it running. However I can not say if this is a MUST or if there are other choices available.
You can then use the same SPN and same keytab file for both confserv and confserv_ha.
SPN seems to be case sensitive, so use exactly the same upper/lower case letters.
-
Just got this working in my lab so here are the steps:
Create AD accounts for Configuration Server user and Genesys User
svc_genesys / password1 (non-expiring, user cannot change, Domain User)
user1 / password1 (normal user domain account)
THE FOLLOWING IS DONE ON THE CONFIGURATION SERVER HOST FOR EASE OF DEPLOYMENT:
Environment Details:
Domain Controller = 10.0.0.80 (w2k12dc1.mylab.co.nz)
Domain = MYLAB.CO.NZ
ConfServ Host = w2k12gsys1.mylab.co.nz
SPN = confserver/w2k12gsys1
Service AD User = svc_genesys
Agent AD User = user1
Map the Service Principal Name (SPN) to the AD Configuration Server user
Open Windows Powershell as Domain Admin and run the following commands:
setspn -S confserver/w2k12gsys1 svc_genesys (-S checks to see if the SPN already exists)
setspn -S confserver/w2k12gsys1.mylab.co.nz svc_genesys
Create the Kerberos Keytab file:
(note: the uppercase letters for the domain - important)
ktpass /princ confserver/w2k12gsys1@MYLAB.CO.NZ /mapuser svc_genesys@MYLAB.CO.NZ /pass password1 /out c:\genesys-rootdomain.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
Move the output file c:\genesys-rootdomain.keytab to the installation root directory for Configuration Server (eg. C:\Program Files\GCTI\ConfigServer)
Install MIT Kerberos version kfw-4.0.1 for Windows on the Configuration Server host.
Edit the file C:\ProgramData\MIT\krb5.ini to set the libdefaults & Realm. The logging section is optional.
(note: the uppercase letters for the domain - important)
eg.
[libdefaults]
default_realm = MYLAB.CO.NZ
[realms]
MYLAB.CO.NZ = {
kdc = 10.0.0.80
admin_server = 10.0.0.80
}
[logging]
kdc = FILE:kdc.log
Edit the InteractionWorkspace.exe.config file
In CME make sure that the Genesys Agent has external authentication set to be their AD login name (eg. user1)
Change the following line:
<add key="login.kerberos.service-principal-name" value="confserver/w2k12gsys1" />
You should now be able to open WDE without logging in on a machine where 'mylab\user1' has already logged in to Windows.
-
Thanks, great work !
To complete this How-To guide, may I add one more step:
In Configuration Server ini file confserv.cfg add the following section and restart Config Server
[authentication]
library=gauth_kerberos
SPN=confserver/w2k12gsys1
realm=MYLAB.CO.NZ
keytab=genesys-rootdomain.keytab
-
Hi,
I went through this post for configuring SSO for WDE. It is very helpful.
I have a question: Can we configure both LDAP and Kerberos authentication in Configuration Server. External Authentication manual from genesys says
"[b]Configuration Server and Configuration Server Proxy support the use of the Kerberos authentication protocol for user authentication in Genesys user interface applications[/b]". But not mentioned the list of user interfaces.
In my environment, we have configured LDAP for CME, CCPulse, IRD, GA and additionally we need to configure Kerberos for WDE. But document did not say anything about configuring both external authentication in same server.
-
There's a thread somewhere on here with the steps someone went through recently to do this
Sent from my SM-N9005 using Tapatalk
-
Kerberos is currently only supported in WDE and Platform SDK (if you develop own application).
You can configure both LDAP and Kerberos in the same Config Server/Proxy. I assume its working but you need to try. Deployment Guide only states "Kerberos runs independantly of Radius and LDAP".
-
Thank you Friends for the details.
-
[quote author=giggles link=topic=9459.msg42983#msg42983 date=1460342823]
Just got this working in my lab so here are the steps:
Create AD accounts for Configuration Server user and Genesys User
svc_genesys / password1 (non-expiring, user cannot change, Domain User)
user1 / password1 (normal user domain account)
THE FOLLOWING IS DONE ON THE CONFIGURATION SERVER HOST FOR EASE OF DEPLOYMENT:
Environment Details:
Domain Controller = [b]10.0.0.80 (w2k12dc1.mylab.co.nz)[/b]
Domain = [b]MYLAB.CO.NZ[/b]
ConfServ Host = [b]w2k12gsys1.mylab.co.nz[/b]
SPN = confserver/w2k12gsys1
Service AD User = svc_genesys
Agent AD User = user1
Map the Service Principal Name (SPN) to the AD Configuration Server user
Open Windows Powershell as Domain Admin and run the following commands:
setspn -S confserver/w2k12gsys1 svc_genesys (-S checks to see if the SPN already exists)
setspn -S confserver/w2k12gsys1.mylab.co.nz svc_genesys
Create the Kerberos Keytab file:
(note: the uppercase letters for the domain - important)
ktpass /princ confserver/w2k12gsys1@MYLAB.CO.NZ /mapuser svc_genesys@MYLAB.CO.NZ /pass password1 /out c:\genesys-rootdomain.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
Move the output file c:\genesys-rootdomain.keytab to the installation root directory for Configuration Server (eg. C:\Program Files\GCTI\ConfigServer)
Install MIT Kerberos version kfw-4.0.1 for Windows on the Configuration Server host.
Edit the file C:\ProgramData\MIT\krb5.ini to set the libdefaults & Realm. The logging section is optional.
(note: the uppercase letters for the domain - important)
eg.
[libdefaults]
default_realm = MYLAB.CO.NZ
[realms]
MYLAB.CO.NZ = {
kdc = 10.0.0.80
admin_server = 10.0.0.80
}
[logging]
kdc = FILE:kdc.log
Edit the InteractionWorkspace.exe.config file
In CME make sure that the Genesys Agent has external authentication set to be their AD login name (eg. user1)
Change the following line:
<add key="login.kerberos.service-principal-name" value="confserver/w2k12gsys1" />
You should now be able to open WDE without logging in on a machine where 'mylab\user1' has already logged in to Windows.
[/quote]
Exactly the kind of responses that one should be getting from this forum.
Giggles just one thing though I wanted to point out, I'm not sure if the highlighted IPs/Domain Names/Host names are real ones, but if they are, I will suggest to omit them from your future posts, for obvious reasons.
Thanks once again for such detailed response, keep up the good work.
-
Hi,
I'm getting "Can't create Kerberos ticket" error in WDE. Below are the steps i followed
WebLink: http://web.mit.edu/kerberos/krb5-1.11/doc/admin/install_kdc.html#install-and-configure-the-master-kdc
Installed Kerberos and KDC server on Config Proxy (RHEL OS)
Updated Krb5.conf, kdc.conf,
Set Environment Variable for krb5.conf and kdc.conf
Added administrator in kadm5.acl
Created KDC database
Added SPN in KDC database
Copied "krb5.keytab" file to config proxy location
configured kerberos section under config proxy app obj
restarted config proxy
configured wde with SPN
I get authentication error while launching WDE from Windows 7
Can some one help me if i missed any process. Please refer me a link where i can see solution for this issue.
-
If you'd like to use Kerberos SSO with MS AD, and Config proxy / Config server are on RHEL Linux, it's sufficient to install standard packages:
krb5-libs
krb5-devel
krb5-workstation
and edit the /etc/krb5.conf.
You don't need to edit any other system variables or compile the MIT Kerberos from sources.
In my case I got an authentication error, the cause was, that the "svc_genesys" user didn't have the option "This account supports Kerberos AES 128bit support, This account supports Kerberos AES 256bit support" enabled.
-
Hi Experts,
I am trying to install Kerberos on RHEL 7 and was following Genesys doc for the same. I could not find any clear instruction on below. Could you pls help?
https://docs.genesys.com/Documentation/FR/8.5.1/ExtAuth/CfgKerb
1. Is there a need to generate keytab file? Genesys doc has no mention of it but there is an option for it.
2. Moment i follow below step, it loose my access to linux server itelf:
After executing make install, add the /usr/local/lib path to the /etc/ld.so.conf file.
Run /sbin/ldconfig.
If there are suggestions for the same, please share.
-
[url=https://docs.genesys.com/Documentation/FR/8.5.1/ExtAuth/Kerberos]https://docs.genesys.com/Documentation/FR/8.5.1/ExtAuth/Kerberos[/url]
-
Hi Kubig,
Thank you for taking time out and sharing the reference!
I have gone through this doc as well but could not get good clarity on my questions.
Thanks
-
What exactly is not clear on that? Keytab generation as well as the KRB configuration is described quite well there.
-
Hi Kubig,
1. When i installed krb5-1.21, kadmin is not installed as i am unable to find below path:
cd /usr/local/bin/krb5-testinst/bin/kadmin
2. when i followed the below step as documented, it blocked my access to linux server:
fter executing make install, add the /usr/local/lib path to the /etc/ld.so.conf file.
Run /sbin/ldconfig.