Google Search Appliance Managing Search for Controlled-Access Content User Manual
Page 26
Google Search Appliance: Managing Search for Controlled-Access Content
26
•
aes256-cts-hmac-sha1-96
•
des-cbc-md5
To ensure that a search appliance uses Kerberos during serving, content sources must be enabled for
Kerberos. For more information on ensuring that Kerberos is configured correctly on Windows content
sources, see the wiki page
(the information is provided as a reference, and is not officially supported by Google).
The Kerberos implementation supports:
•
Windows IIS web sites with Kerberos enabled.
•
Windows file share with Kerberos enabled.
•
Linux/Unix file share using SMB in a Windows domain with a Windows AD as the Kerberos Key
Distribution Center (KDC).
•
Cross domain access.
Take note that the search appliance supports serving of SMB content via Kerberos only. It does not
support crawling of SMB content via Kerberos.
With cross-domain access, the KDC associated with the search appliance can communicate with other
KDCs to authenticate and authorize users from other domains. The secure content does not have to be
in the same domain as the search appliance, but the two domains must have transitive trust enabled
between them. For information about transitive trusts, see Microsoft documentation. In a Windows
cross-domain configuration, the search appliance requires the DNS server to advertise KDCs for both
domains by way of DNS SRV responses.
The Kerberos implementation does not support:
•
Windows constrained delegation. Workaround: See Google SAML Bridge for Windows in Enabling
Windows Integrated Authentication.
•
Linux/Unix KDC.
When the search appliance is configured to use IWA / Kerberos authentication, the search appliance
checks the user’s session ticket against a KDC before displaying secure search results to a user. For
Windows servers, the domain controller acts as the KDC for Kerberos authentication.
•
If a user has a valid ticket, the user can see secure search results without having to log in again.
•
The search appliance does not support NTLM fallback. If a user does not have a valid ticket, or is
unable to perform Kerberos authentication against the search appliance, she might get prompted
for credentials. However, the search appliance does not process those credentials. To configure
NTLM fallback, use Google SAML Bridge for Windows, described in Enabling Windows Integrated
Authentication.
To configure the search appliance to use IWA / Kerberos authentication:
1.
Enroll the search appliance in the domain managed by your KDC (see “Enrolling the Search
Appliance in the KDC Domain and Creating a Keytab File” on page 27). The KDC is typically a
Microsoft Windows Server acting as a domain controller. As part of this step, you must also request
and register a Kerberos key table, called a keytab file.
2.
Log in to the Admin Console and configure a credential group for Kerberos (see “Configuring a
Credential Group for Kerberos-Based Authentication” on page 29).
3.
Ensure that your domain users have appropriate browser settings to use Kerberos authentication
when querying the search appliance (see “Configuring Web Browsers for Kerberos Authentication”
on page 30).