URL configuration
Before installing the Security Analytics Engine, be aware that due to default Kerberos settings within Windows and common web browsers, the Security Analytics Engine’s default URL configuration utilizes the non-qualified local machine name for Single Sign-On (SSO) redirection. While most browsers support SSO from remote machines, by mapping the URL to the Intranet zone or some other supported Kerberos configuration setting, SSO may not function from a browser locally on the Security Analytics Engine computer without additional configuration. To aid in this additional configuration, or to support a DNS-based URL for other purposes such as load balancing, the Security Analytics Engine installer supports a command line parameter which specifies a URL that is not machine-based. While you still need to perform additional configuration specific to your browser(s) and Kerberos environment, this command line parameter allows for SSO support by a browser on the Security Analytics Engine computer.
To provide an alternate URL for the Security Analytics Engine
|
|
NOTE: An alternate URL is not required unless non-local SSO is desired or multi-server installations of the Security Analytics Engine are required with SSO support. |
|
|
NOTE: An alternate URL webhostname should be provided if the default machine name does not align to the SSL web site certificate. |
- Utilize the installer command line parameter
WEBHOSTNAME, providing the host name portion of the URL you want to use (for example, ‘securityanalyticsengine.mydomain.com’). See Installing the Security Analytics Engine in a single-server environment for more information on using this parameter during installation. - Ensure that the host name resolves to a DNS ‘A’ or ‘name’ record (not an alias) for all computers hosting the Security Analytics Engine.
- If the Security Analytics Engine is running on multiple computers, configure the Security Analytics Engine RSTS service (or external STS provider) to run under a shared domain process account (required for multi-host Kerberos SPN use).
- Ensure that the Kerberos SPN is registered for the domain account running the Security Analytics Engine RSTS service (local machine account for single-server installation, shared processes account for multi-server installations).
- Ensure that the browser configurations support SSO with Kerberos for the specified URL.
- For information on any additional configuration required by each browser, check the browser’s accompanying documentation and see the following Kerberos SetSPN for web applications information: