Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Single Sign-on (SSO) issues

Management Console for Unix uses the host computer's Active Directory credentials to publish its address to the Control Center, perform single sign-on, and to validate a user's log on. On a Microsoft Windows server, the host computer's credentials are available by means of the Windows SSPI, but this limits Management Console for Unix to managing hosts in the same forest to which the Windows server is joined.

If you wish to use Management Console for Unix to manage a foreign domain or forest from a Windows server, then you must disable SSPI. See Disable SSPI for Single Sign-on. However disabling SSPI will disable single sign-on capabilities.

Note: To perform single sign-on, you must

  • Configure Management Console for Unix for Active Directory.
  • Join your Management Console for Unix server to an Active Directory domain.

    If your Management Console for Unix server is on a Linux platform, you must have Authentication Services installed to join Active Directory.

  • Join the client host (where the browser is located) to the Active Directory domain.
  • Login to the browser host using an Active Directory account.

On a Unix server, Management Console for Unix looks for the host computer's credentials by searching for a Kerberos keytab file in the following default locations:

  • /etc/opt/quest/vas/HTTP.keytab
  • /etc/opt/quest/vas/host.keytab

To override the default location, set the console.keytab system property in the custom.cfg configuration file, as follows:

-Dconsole.keytab=<PropertyValue>

See Setting custom configuration settings for more information about overriding the default configuration settings.

If Management Console for Unix cannot find host computer credentials, it will run without host credentials by relying on a correctly configured DNS to find foreign domain controllers. This means that Management Console for Unix will be unable to publish its address to the Control Center, perform single sign-on, or fully validate passwords used when logging on.

Configure a Firefox web browser for SSO

In order for SSO to work on Mozilla Firefox on the host where Management Console for Unix is installed, and from a remote browser, you must configure the web browser to use Windows Integrated Authentication to automatically authenticate to the web browser.

To configure a Firefox web browser for SSO

  1. Enter about:config in the URL address field of your web browser.

  2. Enter negotiate in the filter search box.

  3. Locate and configure the following Firefox preferences:

    network.negotiate-auth.delegation-uris = https://
    network.negotiate-auth.trusted-uris = https://
  4. Save your changes and restart the browser for the changes to take effect.

Configure an IE web browser for SSO

In order for SSO to work on Windows Internet Explorer on the host where Management Console for Unix is installed, and from a remote browser, you must specify the sites in the Internet Security properties.

To configure an IE web browser for SSO

  1. From Windows Internet Explorer, navigate to Tools | Internet Options.
  2. On the Security tab, select the Local Intranet zone and click Sites.
  3. From the Local Intranet dialog, click Advanced.
  4. Add websites to this zone and click Close.
  5. Save your changes and restart the browser for the changes to take effect.

Disable Single Sign-on (SPNEGO/HTTP negotiation)

If system credentials are available, Management Console for Unix attempts single sign-on by default. However, if you are experiencing problems, you can disable single sign-on.

To disable single sign-on

  1. Locate the custom.cfg file.

    See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.

  2. Add the following system property to the custom.cfg file to completely disable single sign-on:

    -Dconsole.login.sso.disable=true

    To disable single sign-on using the WinSSPI:

    -Dconsole.login.sso.sspi-only=true
  3. Save the custom.cfg file.

  4. Restart the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating