Google Search Appliance Enabling Windows Integrated Authentication version 7.2 User Manual
Page 17
Google Search Appliance: Enabling Windows Integrated Authentication
17
You can refer to an unsupported Wiki page on configuring Kerberos for more information (
.
Important:
If SAML Bridge is only used for authentication, Kerberos is not required on the content
servers. However, because the search appliance requires the authorization service to be specified to
allow the basic authentication prompt to be muted, you must properly configure SAML Bridge for
authorization. To do this, perform the steps in “Active Directory and Domain Controller Prerequisites” on
page 17 on the domain controller machine, and perform the steps in “Granting ‘Act as Part of the
Operating System’ Privilege” on page 18.
Active Directory and Domain Controller Prerequisites
The domain controller that is running Active Directory must meet the following requirements:
•
Windows Server 2003 Kerberos Extension must be available. Kerberos is used for authentication
between SAML Bridge and the content server.
•
The domain functional level must be set to Windows Server 2003. Refer to the Microsoft Technet
site for instructions about how to raise the domain functional level.
•
Active Directory must be configured to permit SAML Bridge to use delegated credentials from the
user to access server content.
To configure Active Directory to permit SAML Bridge to use delegated credentials:
1.
Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
2.
In the tree view, click Computers.
3.
In the right pane, select the server hosting SAML Bridge, right click, and select Properties.
4.
In the Properties dialog box, click the Delegation tab.
5.
Select Trust this computer for delegation to specified services only.
6.
Select Use any authentication protocol.
7.
Click Add. The Add Services dialog box appears.
8.
Click Users or Computers. The Select Users or Computers dialog box appears.
9.
Under Enter the object names to select, enter the Service Principal Name (SPN) for the
Kerberized content server to which the SAML Bridge host will delegate.
•
If you are using Network Service to run an HTTP service, enter the name of the content server.
•
If you are using a domain account to run an HTTP service, enter the name of the domain
account.
•
If you are using Microsoft Cluster Server to run a CIFS server, enter the Network Name of the
group that contains the file share.
10. Optionally, click Check Names to verify that you entered the name correctly.
11. Click OK. The Add Services dialog box reappears, showing the available services for the object
whose SPN you specified.