{"id":28406,"date":"2024-03-19T11:42:56","date_gmt":"2024-03-19T08:42:56","guid":{"rendered":"https:\/\/trueconf.com/blog\/?p=28406"},"modified":"2025-10-17T16:38:15","modified_gmt":"2025-10-17T13:38:15","slug":"configuration-of-kerberos-sso-in-trueconf-server","status":"publish","type":"post","link":"https:\/\/trueconf.com/blog\/knowledge-base\/configuration-of-kerberos-sso-in-trueconf-server","title":{"rendered":"Configuration of Kerberos SSO in TrueConf Server"},"content":{"rendered":"<p class=\"primary-medium-text ui-mb-sm-1\">TrueConf Server supports password-free authentication with the help of single sign-on technology and the Kerberos protocol. This feature will be available if the integration with a <a href=\"https:\/\/trueconf.com\/blog\/wiki\/active-directory-ldap\" target=\"_blank\" rel=\"noopener\">directory service is configured via LDAP<\/a>. Read <a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/how-to-setup-user-data-synchronization-between-trueconf-server-and-active-directory.html\" target=\"_blank\" rel=\"noopener\">this article<\/a> to take a look at some examples.<\/p>\n<p>The overall guideline for setting up Kerberos SSO includes the following steps:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Add SPN (more details below).<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Generate a keytab file.<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Apply settings on the server side.<\/li>\n<\/ul>\n<p class=\"primary-medium-text ui-mb-sm-1\">In the context of Kerberos SSO, it is important to understand the meaning of <b>Service Principal Name (SPN)<\/b>. What is it? <b>SPN<\/b> is the unique identifier of a service instance. In our case TrueConf Server acts as such a service for the domain controller. SPN consists of several parts:<\/p>\n<pre class=\"lang:default decode:true \">protocol\/server.name@DOMAIN<\/pre>\n<p>The <a href=\"https:\/\/trueconf.com\/docs\/server\/en\/admin\/registration\/#server-name\" target=\"_blank\" rel=\"noopener\">public server name<\/a> specified during registration should be used as <code>service.name<\/code>.<\/p>\n<p><b>Example:<\/b><\/p>\n<pre class=\"lang:default decode:true\">trueconf\/video.example.com@EXAMPLE.COM<\/pre>\n<p>The examples described in this article will be based on the use of the command line. However, you can also use GUI.<\/p>\n<h2 id=\"active_directory\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">Active Directory<\/h2>\n<p class=\"primary-medium-text ui-mb-sm-1\">In Active Directory (AD) the service principal name (SPN) is linked either to the computer account or user account. We urge you not to link the SPN to the machine where TrueConf Server is deployed because it may have an adverse effect on its work in the domain. To ensure correct work, you will need to create a separate account with certain parameters:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--disc\">Password change is prohibited<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">Password lifetime is not restricted.<\/li>\n<\/ul>\n<p class=\"primary-medium-text ui-mb-sm-1\">This precaution is very important because otherwise it will be necessary to generate new keytab files linked to the user if the password is either changed or expires.<\/p>\n<p>To configure Kerberos SSO, take these steps:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Run PowerShell as the administrator and import the module for working with the AD service:\n<pre class=\"lang:ps decode:true \">Import-Module ActiveDirectory<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Assign required values to the following variables:\n<pre class=\"lang:ps decode:true \">$Username = \"kb_user\" # Username\r\n$Password = \"UserPassword!\"# User password\r\n$DisplayName = \"KB_USER\" # User display name\r\n$Path = \"OU=Users,DC=yourdomain,DC=loc\" # Path to the organizational unit where the user will be created.<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Run this command to create a new service user based on the specified variables:\n<pre class=\"lang:ps decode:true\">New-ADUser -Name $DisplayName -SamAccountName $Username -Path $Path -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true -CannotChangePassword $true<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Add an SPN and link it to the created user:\n<pre class=\"lang:ps decode:true \">setspn -U -S trueconf\/server.name@yourdomain.loc $Username<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Generate a keytab file:\n<pre class=\"lang:ps decode:true\">ktpass -princ trueconf\/server.name@YOURDOMAIN.LOC -mapuser $Username -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass $Password -target yourdomain.loc -out \u0421:\\yourdomain.keytab<\/pre>\n<\/li>\n<\/ul>\n<p class=\"primary-medium-text ui-mb-sm-1\">Then, go to the TrueConf control panel and configure Kerberos SSO as it is <a href=\"https:\/\/docs.trueconf.com\/server\/en\/admin\/web-config\/#authentication\" target=\"_blank\" rel=\"noopener\">described in the documentation<\/a>.<\/p>\n<h2 id=\"freeipa\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">FreeIPA<\/h2>\n<p class=\"primary-medium-text ui-mb-sm-1\">In FreeIPA SPN is linked to the current server instance, in other words, to the existing A record of the DNS server. So, if the TrueConf Server instance has not been added, it is the right time to do it. To configure SSO via Kerberos:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Open the terminal and get a ticket (kerberos-ticket) with this command:\n<pre class=\"lang:zsh decode:true \">kinit admin # username of the domain administrator<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Assign required values to the following variables (without spaces):\n<pre class=\"lang:zsh decode:true\">IP_ADDRESS=10.10.10.10 # service IP address (TrueConf Server instance)\r\nTRUECONF=video.example.net # Full domain name of the server\r\nFREEIPA=freeipa.example.lan # Full domain name of the domain controller<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Add the TrueConf Server instance with the specified variables by running the command:\n<pre class=\"lang:zsh decode:true \">sudo ipa host-add --force --ip-address=$IP_ADDRESS $TRUECONF<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Add the SPN service:\n<pre class=\"lang:zsh decode:true\">sudo ipa service-add trueconf\/$TRUECONF<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">To generate a keytab file, run the command:\n<pre class=\"lang:zsh decode:true \">sudo ipa-getkeytab -s $FREEIPA -p trueconf\/$TRUECONF -k trueconf.keytab<\/pre>\n<\/li>\n<\/ul>\n<p class=\"primary-medium-text ui-mb-sm-1\">Then go to the TrueConf Server control panel and configure Kerberos SSO as it is <a href=\"https:\/\/docs.trueconf.com\/server\/en\/admin\/web-config\/#authentication\" target=\"_blank\" rel=\"noopener\">described in the documentation<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TrueConf Server supports password-free authentication with the help of single sign-on technology and the Kerberos protocol. This feature will be available if the integration with a directory service is configured via LDAP. Read this article to take a look at some examples. The overall guideline for setting up Kerberos SSO includes the following steps: Add [&hellip;]<\/p>\n","protected":false},"author":55,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[260],"tags":[186],"class_list":["post-28406","post","type-post","status-publish","format-standard","hentry","category-knowledge-base","tag-administration","wpautop"],"_links":{"self":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/28406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/comments?post=28406"}],"version-history":[{"count":5,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/28406\/revisions"}],"predecessor-version":[{"id":39868,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/28406\/revisions\/39868"}],"wp:attachment":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/media?parent=28406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/categories?post=28406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/tags?post=28406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}