Content server kerberos prerequisites – Google Search Appliance Enabling Windows Integrated Authentication version 7.2 User Manual

Page 16

Advertising
background image

Google Search Appliance: Enabling Windows Integrated Authentication

16

4.

SAML Bridge checks the user's access to the search results content by impersonating the user to the
content server.

5.

If SAML bridge is using NTLM, it sends a headrequest on the user's behalf to content server.

6.

If SAML Bridge is using Kerberos, it obtains a Kerberos ticket to use on the user's behalf. This is
possible because the domain server is configured to enable SAML Bridge to impersonate the user
to the content server.

7.

SAML bridge tells the search appliance which documents the user can access.

Review “Authentication/Authorization for Enterprise SPI Guide” for more details about communications
between search appliance and SAML Bridge host.

Prerequisites for Using SAML Bridge for Authorization

If you are using SAML Bridge for authorization, the following prerequisites apply:

“Content Server Kerberos Prerequisites”

“Active Directory and Domain Controller Prerequisites”

“Modifying the Windows Registry”

“Granting ‘Act as Part of the Operating System’ Privilege”

Content Server Kerberos Prerequisites

When SAML bridge is used for authorization, Kerberos must be running on each content server whose
content requires authorization.

To verify whether Kerberos is being used, you can use tools such as Windows Network Monitor or tcp
trace or a browser extension that shows HTTP headers. You can view the headers that result from any
communication with the content server. The content server should send the following header when
Kerberos is in use.

WWW-Authenticate: Negotiate

For example, in the following header, look for the Negotiate header in the server responses.

GET /ac/login.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: myhost
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Monday, 15 Nov 2010 21:26:01 GMT

Advertising
Popular Brands
Popular manuals