Kerberos SSO to PortalGuard (Deprecated Method)

The steps below have been replaced by new steps in Chapter 5 - Kerberos SSO to PortalGuard. Please see that section for the supported way of Kerberos-enabling the PortalGuard website. These steps have been saved in this section of the guide for archival purposes.

Create New IIS Website

NOTE: The steps in this section are required if you want to utilize PortalGuard for self-service actions like password resets or account unlocks -OR- have PortalGuard available to external users like vendors, customers or employees coming in from the internet.

1) Copy the entire “C:\InetPub\PortalGuard” folder

2) Paste it under the “C:\InetPub” folder

3) Rename the new folder to “PortalGuard-KerbSSO”

4) Add a new website in IIS Manager using the following:

a. Site Name = PortalGuard-KerbSSO

b. Application Pool = PortalGuard-KerbSSO

c. Physical Path = C:\InetPub\PortalGuard-KerbSSO

Optionally, set a different port.

NOTE: If you specify a host name different from the machine name, then you will need to add a new SPN to the PortalGuard server’s Active Directory account that matches this name.

5) In Windows Explorer, right-click the C:\inetpub\PortalGuard-KerbSSO folder, choose Properties, then go to the Security tab

6) Click the “Edit” button to change permissions on that folder, then click the “Add…” button

7) Click the “Locations…” button and choose the local server name from the entries then click OK:

8) Enter the name: IIS AppPool\PortalGuard-KerbSSO

9) Click “Check Names” to ensure it resolves properly to the base App Pool identity name:

10) Click OK and ensure this new entry has “Read & execute” rights, then click OK again to save the change.

11) Still on the Security tab, click the “Advanced” button and “Replace all child object permissions…”

12) OK your way out of all dialog boxes

13) Go to the Security tab of the top level PortalGuard installation folder (e.g. “C:\Program Files\PistolStar\PortalGuard”)

14) Using the same steps as above, add an entry for “PortalGuard-KerbSSO”, ensure it has Read & execute privileges and apply this change to all child objects.

15) For the “PortalGuard\Logs” folder, add “PortalGuard-KerbSSO” to the ACL, ensure it has Write and Modify privileges and apply this change to all child objects in the Logs folder.

16) For the “PortalGuard\Users” folder, add “PortalGuard-KerbSSO” to the ACL, ensure it has Write and Modify privileges and apply this change to all child objects in the Users folder.

Configure Kerberos-Enabled PortalGuard site

17) Open “web.config” in the root of the website and make the following edits:

a. Change authentication mode from “Forms” to “Windows” by replacing the multi-line <authentication> element with:

<authentication mode="Windows" />

Before:

After:

b. Remove the system.webServer -> modules element and all children

Before:

After:

c. Remove the system.webServer -> httpErrors element and all children

Before:

After:

d. Save the changes to the web.config

18) In the Kerberos-enabled website in IIS Manager, edit the Authentication settings and enable “Windows Authentication” while disabling all other types:

19) Run “iisreset” from an administrative command prompt

Update PortalGuard Configuration

20) Using the PortalGuard Configuration Editor (PG_Config.exe), open your Active Directory repository document, click the “Resolution” tab and enter your AD NetBIOS domain name followed by a backslash (“\”) in the “Username Prefix” field and your AD DNS-style domain name preceded by an at sign (“@”) in the “Username Suffix” field. Here is an example:

Username Prefix: PGUS\

Username Suffix: @portalguard.us

21) Save and apply/sync the change to the PortalGuard server.

22) If using PortalGuard for SSO and having multiple attribute stores defined, using the Identity Provider Configuration Editor (IdP_Config.exe), open the Active Directory attribute store document, click the “Resolution” tab and set the same Username Prefix and Username Suffix values as in the prior step

23) Save and apply/sync the change to the PortalGuard server.

Troubleshooting

Issue

You see broken or missing images on the SSO jump page when accessing it through the Kerberos-enabled web site.

Resolution

This is due to the Application Pool identity for the Kerberos-enabled site (e.g. “PortalGuard-KerbSSO”) not having permissions to read the image files from the “C:\InetPub\PortalGuard\sso\img” folder (which is part of the “base” PortalGuard site). To fix this, simply add the “PortalGuard-KerbSSO” identity to the ACL of the “C:\InetPub\PortalGuard\sso\img” folder with “Read & execute” privileges and apply that change to all of the folder’s child objects. See steps 6-9 above for how to specify the App Pool identity in the ACL.