|
Article Type:
|
How To
|
|
Product:
|
Symphony
|
|
Product Version:
|
|
|
Component:
|
Symphony Server
|
|
Device Brands:
|
|
|
Created:
|
11-Jan-2012 4:30:09 PM
|
|
Last Updated:
|
|
How to set up the Symphony Single Sign On feature on a Windows Server 2008 R2 domain
Group Policy Management in Windows - Default Domain Policy – Network Security
- Go to Default Domain Policy, Windows Settings, Security Settings, Local Policies, Security Options.
- Configure encryption types allowed for Kerberos to : RC4_HMAC_MD5 and DES_CBC_CRC and DES_CBC_MD5.
- Default Domain Controllers Policy – Network Security
- Go to Default Domain Controllers Policy, Windows Settings, Security Settings, Local Policies, Security Options.
- Configure encryption types allowed for Kerberos to : RC4_HMAC_MD5and DES_CBC_CRC and DES_CBC_MD5.
- Update Policies
- Update policy on domain controller. From command prompt: gpupdate
- Update policy on the domain client machines. From command prompt: gpupdate
** This may appear in local group policy as updated but at times you will need to restart the system for results to take effect.
Notes: - You do NOT need to manipulate Kerberos pre-authentication or other security on the user accounts.
- This has been tested only with RC4_HMAC_MD5 and has not been tested with other Kerberos encryption. It is known that multiple encryption types in Windows Vista, 7, and above will produce negative results. Changing the default encryption order to RC4 as first may resolve this.
Vmware and Domain Connectivity The Time Server is one of the biggest obstacles when setting up a virtual machine on a domain. One of the jobs of the domain controller is to regulate time. If time is varied for more than 5 minutes between the controller and the client, Kerberos will fail. There are ways to increase this time factor but it will eventually lead to time drifting and domain connectivity will be lost. Hypervisors such as ESXi and Hyper-v regulated time for the host machines. This must be disabled for time to populate from the domain controller. Further issues will result from the domain controller being a Virtual Machine. Recommended: Read and configure your environment according to VMware and other time support http://support.microsoft.com/kb/816042
2 sections regarding Configuring the Windows Time service to use an external time source and http://defaultreasoning.wordpress.com/2009/11/16/synchronize-time-with-external-ntp-server-on-windows-server-2008-r2/ For wireshark encryption explanations and HEX to Etype auditing: http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx
|
Average rating:
|
|
|
|
Please log in to rate.
|
|
Rated by 0, Viewed by 4466
|
|