beautypg.com

Google Search Appliance Managing Search for Controlled-Access Content User Manual

Page 28

background image

Google Search Appliance: Managing Search for Controlled-Access Content

28

5.

At the command prompt, create a keytab file for the search appliance and register the search
appliance as the principal by entering the following command:

ktpass -princ HTTP/FQDN_of_the_searchappliance@DOMAIN_NAME -mapuser
DOMAIN_NAME\searchappliance_username -pass searchappliance_password -out
filename.keytab -ptype KRB5_NT_PRINCIPAL

where FQDN=fully qualified domain name.

The search appliance username, password, and domain must be consistent with the user account
that you created in step 2. With the exception of the mapuser switch, domain names must be fully
qualified. Ensure that when you issue the ktpass command, HTTP is in upper-case letters and the
string FQDN_of_the_search_appliance is in lower-case letters, as shown in the examples in this
section. The FQDN_of_the_search_appliance must be the DNS A-name for the search appliance, not
the CNAME. The ptype parameter specifies the principal type. The value must be KRB5_NT_PRINCIPAL
(general ptype).

For example, suppose the domain is FOODOMAIN, the user account is gsa_account, the user
password is 123pass, and the FQDN of the search appliance is gsa.foodomain.com.

You would enter the following command:

ktpass -princ HTTP/[email protected] -mapuser
FOODOMAIN\gsa_account -pass 123pass -out myfilename.keytab -ptype
KRB5_NT_PRINCIPAL

The keytab file is the Kerberos key table that you will install on the search appliance.

6.

If Kerberos will be used for authorization, open the search appliance user account properties again.
On the Delegation tab of User properties, select Trust this user for delegation to any service.

If you want to use Kerberos for authentication only and use another service, such as policy ACLs,
SAML authorization SPI, or connectors, for authorization, then you do not have to enable
delegation.

7.

On the Account tab of User properties, verify that the user logon name field was populated with
the HTTP/ prefix, for example, HTTP/FQDN_of_the_search_appliance.

Instructions for Microsoft Windows 2003 and XP (DES Encryption)

In the following instructions, you configure the search appliance as a user in Active Directory, then
create a keytab file. The search appliance password in Active Directory must match the password in the
keytab file.

To configure Windows:

1.

Log into the Windows server that acts as the domain controller on your network.

2.

Use the Active Directory Management wizard to create a new object-user account for the search
appliance by entering the following information:

First Name and User Logon Name (the first name and login can be anything to help you identify
the search appliance account. For example “gsa_account”)

Password