Chat now with support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Configure an IE web browser for SSO

In order for SSO to work on Windows Internet Explorer on the host where Management Console for Unix is installed, and from a remote browser, you must specify the sites in the Internet Security properties.

To configure an IE web browser for SSO

  1. From Windows Internet Explorer, navigate to Tools | Internet Options.
  2. On the Security tab, select the Local Intranet zone and click Sites.
  3. From the Local Intranet dialog, click Advanced.
  4. Add websites to this zone and click Close.
  5. Save your changes and restart the browser for the changes to take effect.

Disable Single Sign-on (SPNEGO/HTTP negotiation)

If system credentials are available, Management Console for Unix attempts single sign-on by default. However, if you are experiencing problems, you can disable single sign-on.

To disable single sign-on

  1. Locate the custom.cfg file.

    See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.

  2. Add the following system property to the custom.cfg file to completely disable single sign-on:

    -Dconsole.login.sso.disable=true

    To disable single sign-on using the WinSSPI:

    -Dconsole.login.sso.sspi-only=true
  3. Save the custom.cfg file.

  4. Restart the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

Disable SSPI for Single Sign-on

If you are experiencing (non-SSO) login difficulties on a Windows server and the log file indicates that SSPI is unable to find the domain, you can disable SSPI and "fall back" to the JCSI provider. To do this you must add a system property to the custom.cfg configuration file.

Note: The drawback of using JCSI on a Windows server is that some integration features (such as, SCP, SSO, and trusted KDC) are unavailable.

Security Support Provider Interface (SSPI) is used to provide web single sign-on on Windows but limits logins and administration to domains within the same forest as the Windows host. If you are hosting the console on a Windows server joined to a forest different than the one it is administering, then you should disable SSPI. A pure-Java Kerberos implementation will be used instead, but it will not be able to do single-sign-on on Windows.

To disable SSPI

  1. Open the custom.cfg file for editing.

    See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.

  2. Add the following properties to the custom.cfg file to disable SSPI:

    -Dconsole.sspi.disable=true

    Or, if your problem is only with TGT validation, add this line:

    -Dconsole.sspi.disable-self-test=true
  3. Save the custom.cfg file.

  4. Restart the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

Enable SSO for remote browser clients

In order for remote browser clients to log onto the mangement console using SSO, Management Console for Unix requires that the web browser 'delegate' the user's credentials to the server. Therefore, you must enable the Management Console for Unix server for delegation.

To enable the Management Console for Unix server for delegation

  1. Open Active Directory Users and Computers.

  2. Navigate to the container in the domain on which the computer where Management Console for Unix is running resides.

    For example, if the console is installed on a domain controller, navigate to <DomainName> | Domain controllers and find the computer object.

  3. In the details pane, right-click the computer object and click Properties.

  4. Open the Delegation tab, select Trust this computer for delegation to any service (Kerberos only) and click OK to save your selection and close the properties.

Note: In Active Directory, computer objects have a property that gets set when you select Trust this computer for delegation to any service (Kerberos only). SSO will not work if delegation is not enabled on the server.

For the delegation changes to take effect in Active Directory, you may need to reboot the client.

Documents connexes