Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-04 Thread Martin Perina
On Tue, Oct 4, 2016 at 5:16 PM, wrote: > Martin, thanks for the help. It works. > ​Glad to hear that, thanks. Martin ​ > > 03.10.2016, 15:01, "Martin Perina" : > > ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but > in 4.0

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-04 Thread aleksey . maksimov
Martin, thanks for the help. It works. 03.10.2016, 15:01, "Martin Perina" : > ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in > 4.0 we have quite new OAuth base SSO, so you need to use following > configuration: > >

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina
Hi, please take a look at inline comments: On Mon, Oct 3, 2016 at 9:15 AM, wrote: > Yes. Of course. Here are my configs. > > > = > # cat /etc/ovirt-engine/aaa/ovirt-sso.conf > > ​​ >

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread aleksey . maksimov
Yes. Of course. Here are my configs. = # cat /etc/ovirt-engine/aaa/ovirt-sso.conf RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina
On Mon, Oct 3, 2016 at 8:52 AM, wrote: > > network.negotiate-auth.delegation-uris = .ad.holding.com > > network.negotiate-auth.trusted-uris = .ad.holding.com > > Yes. Configured > > The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and > Firefox

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread aleksey . maksimov
 > network.negotiate-auth.delegation-uris = .ad.holding.com > network.negotiate-auth.trusted-uris = .ad.holding.com Yes. Configured The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and Firefox opens without problems and without password prompts But when opening links from

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina
On Mon, Oct 3, 2016 at 8:18 AM, wrote: > > Hello, Martin > > Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working > successfully from Internet Explorer & Forefox. > Kerberos authentication NOT working with oVirt Web-Portals. > > I expect that the

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread aleksey . maksimov
 Hello, Martin Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox.Kerberos authentication NOT working with oVirt Web-Portals. I expect that the users opening the oVirt web portal in the browser did not enter a password, and used

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina
Hi Aleksey, in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you? Regards Martin Perina > # kinit aleksey > > Password for alek...@ad.holding.com: *** > > # klist > > Ticket cache:

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-02 Thread aleksey . maksimov
Up 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" : > Any other ideas? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread aleksey . maksimov
Any other ideas? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread aleksey . maksimov
# kinit aleksey Password for alek...@ad.holding.com: *** # klist Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9 Default principal: alek...@ad.holding.com Valid starting Expires Service principal 09/30/2016 16:50:32 10/01/2016 02:50:32

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread Ondra Machacek
'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test login with it. You should try something like `kinit myuser` and then curl. And be sure that 'myuser' has appropriate permissions in oVirt. Do you have properly setup your browser and enabled negotiation (for example for

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread aleksey . maksimov
# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab HTTP/kom-ad01-ovirt1.ad.holding.com Using existing cache: persistent:0:0 Using principal: HTTP/kom-ad01-ovirt1.ad.holding@ad.holding.com Using keytab: /etc/httpd/s-oVirt-Krb.keytab Authenticated to Kerberos v5 # klist Ticket cache:

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread Ondra Machacek
On 09/30/2016 02:44 PM, aleksey.maksi...@it-kb.ru wrote: Hello oVirt guru`s! I set up oVirt integration with Active Directory LDAP according to the manual: