beautypg.com

Google Search Appliance Managing Search for Controlled-Access Content User Manual

Page 30

background image

Google Search Appliance: Managing Search for Controlled-Access Content

30

4.

Optionally, to enable cross-domain access, click the Enable KDC DNS Lookup checkbox.

5.

Click the Save Kerberos KDC Hostname button.

6.

Under Import a Kerberos Service Key Table (keytab) File, type the path name for the keytab file
in the Keytab File Name box or click Browse to navigate to the file.

7.

Click the Import Kerberos Keytab File button.

8.

Select a credential group from the pull-down menu.

9.

Click the Enable Kerberos support checkbox.

10. In the Mechanism Name box, type a unique name for the authentication mechanism. A

mechanism name must not be the same as another mechanism name or credential group name.
Mechanism names are case-sensitive and can be up to 200 characters long, and can contain only
alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.

11. If the KDC is using single-DES encryption, click Allow Weak Crypto.

If you do not check this box and you try to enable Kerberos-based authentication with a KDC using
single-DES encryption, an error message appears.

12. Click Save.

For more information about how to configure Kerberos based authentication, click Help Center >
Serving
> Universal Login Auth Mechanisms > Kerberos.

Configuring Web Browsers for Kerberos Authentication

Users who query the search appliance must have their web browsers configured to use Kerberos
authentication.

Safari is not a supported browser because it does not forward Kerberos tickets. You can find more
information about this issue at

http://openradar.appspot.com/6644527

.

Configuring Internet Explorer

To configure Internet Explorer:

1.

Start Internet Explorer and select Tools > Internet Options.

2.

The search appliance URL must be defined in the Local Intranet zone or the Trusted Sites zone. If
the search appliance is already part of the Trusted or Intranet zones, you can skip this step.

a.

On the Security tab, select the Local Intranet web zone, and click the Sites... button.

b.

In the Local intranet dialog, click the Advanced button.

c.

Under Add this Web site to the zone, enter the search appliance’s URL and click Add.

d.

Leave the Require server verification (https:) for all sites in this zone setting as it is. This
option controls whether communication with the search appliance requires SSL certificates. For
more on certificate use, see “Configuring Crawl and Serve Over HTTPS” on page 11.

e.

Click the OK button, then click OK again to save this change and return to Internet Options.

f.

With Local Intranet zone selected, click the Custom level ... button and verify that Automatic
logon only in Intranet zone
is checked.

If you cannot include the search appliance in the Local Intranet zone, add it to the Trusted
Sites
zone and select Automatic logon with current user and password.

3.

Choose the Advanced tab.