Modifying the windows registry – Google Search Appliance Enabling Windows Integrated Authentication version 7.2 User Manual
Page 18
Google Search Appliance: Enabling Windows Integrated Authentication
18
12. To select one or more services to which SAML Bridge will delegate, first identify the service type, and
then select the name in the User or Computer column.
To find the service type if the content server is a web server or SharePoint server, the service will be
listed in the Service Type column as HTTP.
To select the name of the services in the User or Computer column:
•
If users will access the content server using the NetBIOS name, select that name.
•
If users will access the content server using a DNS alias, select the DNS alias.
•
If the content server is a load balanced web server, select the associated virtual host name.
You’ll also need to select the NetBIOS name of each physical server represented by the virtual
host.
13. Click OK. The Properties dialog box reappears. Under Services to which this account can
present delegated credentials, you can view the list of services that you just specified.
14. Click OK to close the Properties dialog box and then close the Active Directory Users and
Computers snap-in.
Modifying the Windows Registry
This step is required only if the same IIS server is both a SAML Bridge host and a content server.
To avoid problems that occur when SAML Bridge attempts to access the local web files, you’ll need to
update the Registry, by following the instructions in Microsoft KB article 896861
).
Granting ‘Act as Part of the Operating System’ Privilege
When the search appliance sends an authorization request with a user name, SAML Bridge can generate
a Windows token by impersonation. However, it can use the token to access remote resources only if it
has the privilege to ‘Act as part of the operating system’. The Network Service that represents the
identity of the SAML Bridge Application Pool must now be configured to act as part of the operating
system, if it is not already configured that way.
In some environments, you cannot configure a host individually, because the domain controller sets
security settings for all hosts in the domain. If your environment is set up that way, you’ll need to get
access to the domain controller or ask the administrator to perform this configuration.
If you can configure the SAML Bridge host, follow these steps:
1.
Select Control Panel > Administrative Tools > Local Security Settings.
2.
In the left panel, select Security Settings > Local Policies > User Rights Assignment.
3.
Open Act as part of operating system.
4.
In the Act as part of the operating system Properties dialog box, click Add User or Group.
5.
In the Add User or Group dialog box, enter Network Service and click OK. The Act as part of the
operating system Properties dialog box reappears, with Network Service in the box.
6.
Click OK to close the Properties dialog box.
Once the prerequisites are met, refer to the steps for “Installing SAML Bridge” on page 6.