beautypg.com

Google Search Appliance Enabling Windows Integrated Authentication version 6.8 User Manual

Page 9

background image

Google Search Appliance: Enabling Windows Integrated Authentication

9

To verify whether Kerberos is being used, you can use tools such as Windows Network Monitor or tcp
trace or a browser extension that shows HTTP headers. You can view the headers that result from any
communication with the content server. The content server should send the following header when
Kerberos is in use.

WWW-Authenticate: Negotiate

For example, in the following header, look for the Negotiate header in the server responses.

GET /ac/login.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: myhost
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Monday, 15 Nov 2010 21:26:01 GMT

You can refer to an unsupported Wiki page on configuring Kerberos for more information (

http://

code.google.com/p/google-saml-bridge-for-windows/wiki/ConfigKerberos

). What do I do with the

following?

If the SAML Bridge is only used for authentication, Kerberos is not required on the content servers.
However, because the search appliance requires the authorization service to be specified to allow the
basic authentication prompt to be muted, you must properly configure the SAML Bridge for
authorization. To do so, perform the steps in the section “Active Directory and Domain Controller
Prerequisites” on page 9 on the domain controller machine and perform the steps in the section
“Granting the “Act as Part of the Operating System” Privilege” on page 11.

Active Directory and Domain Controller Prerequisites

The domain controller that is running Active Directory must meet the following requirements:

Windows Server 2003 Kerberos Extension must be available. Kerberos is used for authentication
between the SAML Bridge and the content server.

The domain functional level must be set to Windows Server 2003. Refer to the Microsoft Technet
site for instructions about how to raise the domain functional level.

Active Directory must be configured to permit the SAML Bridge to use delegated credentials from
the user to access content on the content server. The procedure for configuring Active Directory
follows.

To configure Active Directory to permit the SAML Bridge to use delegated credentials, follow this
procedure:

1.

Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.

2.

In the tree view, click Computers.

See also other documents in the category Google Software: