SPNEGO Kerberos Authentication
Agiloft supports single sign on via the Kerberos authentication protocols, using SPNEGO to access the knowledgebase via HTTP.
What are SPNEGO and Kerberos?
- Kerberos is an a authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
- SPNEGO, pronounced 'spang-go or spe-'nay-go, is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. Most notably used by browsers for HTTP negotiation.
To complete SPNEGO/Kerberos setup you must have:
- A server environment configured with Kerberos/SPNEGO.
- Agiloft must be installed on a machine in the Active Directory domain.
- A known address for the domain key distribution center (KDC).
Note: the KDC address is often the same as the domain controller address.
- An account name and password in the domain to be used for pre-authentication.
- A registered Service Principal Name (SPN) with the account mentioned above for all known names of a server where
Agiloft is installed. To register an SPN, run
setspn.exe -A HTTP/<server>
<account name>for all known names of a server where Agiloft is installed. The command should be run on the domain controller.
Setup Kerberos/SPNEGO Access
To configure Kerberos/SPNEGO...
- Go to Setup > Access and click the SPNEGO/Kerberos Setup button.
- Select Yes under Enable SPNEGO Authentication.
- Enter the User Name, Password, KDC Address and Domain, using the credentials and details listed above.
- Click Test Connection to check the configuration details.
- Click Finish.
For Internet Explorer users, you must make the following modification to your browser settings:
- In Internet Explorer (IE), go to Internet Options > Advanced > Security.
- Check Enable Integrated Windows Authentication.
The URL for SPNEGO authentication is:
Whenever possible, make sure to use the domain name for your server, such as
example.agiloft.com, rather than the specific server hostname, such as