SSO Authentication for Control-M Clients

The following procedures enable you to configure Single Sign On (SSO) authentication for the Control-M client and CCM:

Configuring Active Directory Kerberos SSO

This procedure describes how to configure Kerberos authentication with Active Directory to enable SSO login to Control-M and CCM clients.

Begin

  1. From the Active Directory computer, create a user with one service principal and a keytab (with the assistance of your Active Directory System Administrator), which allows Control-M/EM to authenticate users, as follows:

    • Service Principal: HTTP/<EM FQDN>@<DOMAIN CAPITAL LETTERS>

      The domain is listed under Computer>Properties in the Domain field and the fully qualified domain name (FQDN) is listed in the Name field by running nslookup <Control-M/EM host>.

    • Keytab: Run the following commands:

      • setspn -A HTTP/<EM fqdn> <USER>

        The <USER> value must be a unique user in the Active Directory that does not have any other service principle. Verify with the command setspn -L account-name.

        The service principal that connects to the FQDN of the Web Server can only have one <USER>. Verify with the command setspn -L account-name.

      • ktpass /out <keytabFile> /mapuser <USER>@<DOMAIN> /princ HTTP/<EM FQDN>@<DOMAIN CAPITAL LETTERS> /pass <pass> /ptype KRB5_NT_PRINCIPAL /crypto All

  2. From the Control-M/EM Server computer, do the following:

    1. Navigate to the following directory:

      <Control-M/EM_HOME>/etc/webcommon/SSO/

    2. Open the krbDetails.ini file and replace the existing service principal with the following text:

      HTTP/<EM FQDN>@<DOMAIN CAPITAL LETTERS>

    3. Replace the keytab value with the generated keytab file from the Active directory computer (see Step 1).

      The keytab file must have minimum access privileges. The Keytab value is the fullpath to the keytab file that is accessible by the Control-M/EMGUI server.

  3. From the CCM, do the following:

    1. Set the ClientSSO system parameter value to On, as described in Control-M/EM general parameters.

    2. Recycle the CMS and GUi Server components.

    3. Stop and start the Control-M Web Server, as described in Component Status.

    Users can now log into the Control-M and CCM clients with SSO and are authenticated with Kerberos.

    • SSO is supported on Windows and Linux.

    • When users log in, the username is the same as the Windows computer login .

    • If the user logged in from a computer that is not in the Active Directory domain or from the Control-M/EM Server computer, the user is not authenticated.

    • Control-M/EM Authorizations are the same with or without Kerberos configuration.

    • If LDAP is also defined in the CCM with the domain of the same Active Directory as the Kerberos configuration, then permissions are based on the CCM configuration.

Troubleshooting CMS Connections Failures with SSO

This procedure describes how to define the location of the correct CMS when SSO can't find it in the Naming Service. You might need to do this procedure if the Tomcat Web Server fails to communicate with the CMS when a user attempts to log in with SSO from the CCM.

Begin

  1. From the Control-M/EM server, run the following command:

    orbadmin ns list

    A list of elements that the Naming Service contains appears.

  2. Locate the element that holds the correct CMS.

  3. Rename the file <ECS_HOME>\etc\clientsso.cfg.unused to <ECS_HOME>\etc\clientsso.cfg.

  4. In the file, set the parameter CMSFather to the value of the element that holds the correct CMS.