Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

29

3.

Open the properties for the user. Use the Account tab for the search appliance account to modify
and apply the following properties:

•

Select the domain that you want to use from the drop-down box. Typically, there is only one
domain listed.

•

Select the Use DES encryption types for this account checkbox.

•

Clear any other checkboxes under account properties.

•

If permitted by your security policies, set Password never expires.

4.

Open a command prompt.

5.

At the command prompt, create a keytab file for the search appliance and register the search
appliance as the principal by entering the following command:

ktpass -princ HTTP/FQDN_of_the_searchappliance@DOMAIN_NAME -mapuser
DOMAIN_NAME\searchappliance_username -pass searchappliance_password -out
filename.keytab -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL

where FQDN=fully qualified domain name.

The search appliance username, password, and domain must be consistent with the user account
that you created in step 2. With the exception of the mapuser switch, domain names must be fully
qualified. Setting the encryption type to DES-CBC-MD5 ensures compatibility with most systems.
Ensure that when you issue the ktpass command, HTTP is in upper-case letters and the string
FQDN_of_the_search_appliance is in lower-case letters, as shown in the examples in this section. The
FQDN_of_the_search_appliance must be the DNS A-name for the search appliance, not the CNAME.
The ptype parameter specifies the principal type. The value must be KRB5_NT_PRINCIPAL (general
ptype).

For example, suppose the domain is FOODOMAIN, the user account is gsa_account, the user
password is 123pass, and the FQDN of the search appliance is gsa.foodomain.com.

You would enter the following command:

ktpass -princ HTTP/[email protected] -mapuser FOODOMAIN\gsa_account
-pass 123pass -out myfilename.keytab -crypto DES-CBC-MD5 +DesOnly -ptype
KRB5_NT_PRINCIPAL

The keytab file is the Kerberos key table that you will install on the search appliance.

6.

If Kerberos will be used for authorization, open the search appliance user account properties again.
On the Delegation tab of User properties, select Trust this user for delegation to any service.

If you want to use Kerberos for authentication only and use another service, such as policy ACLs,
SAML authorization SPI, or connectors, for authorization, then you do not have to enable
delegation.

7.

On the Account tab of User properties, verify that the user logon name field was populated with
the HTTP/ prefix, for example, HTTP/FQDN_of_the_search_appliance.

Configuring a Credential Group for Kerberos-Based Authentication

To configure Kerberos-based authentication in the Admin Console:

1.

On the server where you created the keytab file, open a web browser and log into the Admin
Console on the search appliance.

2.

Choose Serving > Universal Login Auth Mechanisms > Kerberos.

3.

Under Specify a Kerberos Key Distribution Center (KDC)/Windows Domain Controller (DC),
type the KDC host domain name in the Kerberos KDC Hostname box.