Enabling Premium SSO
Single Sign On is a technique in which your current Windows domain login to access Cryoserver, bypassing the login page.
There are 2 Single Sign On facilities. This document refers to the on-premise Cryoserver where users connect from a Microsoft Domain using NTLMv2 Tokens. The other facility is known a "OAuth" and is often used in a Cloud based setup, where the user directory is cloud hosted (e.g. Azure or Google) - though the Cryoserver could be on-prem or cloud hosted.
In the SSO technique, passwords are not passed, instead your current windows user token is used for validation. A token is computed every time you log in to a Windows domain, and hence it cannot be cached and used again. This technique only works with NTLM or NTLMv2 tokens and it is designed to only work in Microsoft Domains.
Furthermore, to prevent man in the middle attacks, the user token includes a ‘source pc identifier’. To validate SSO, the Windows Domain Controller will check if the source of the validation request (Cryoserver) is the same as the source PC encoded into the token (the user’s PC). In order for this to work, Cryoserver server needs to be registered as a Computer in the Windows Users & Computers list.
Prerequisites to enable premium SSO
Create a COMPUTER account in the Active Directory Users and Computers.
Then use the script SetComputerPass.vbs to generate a password. To download the script, click the Download Script button in the Premium SSO options page.
Cryoserver will then be able to create an authenticated connection to your Domain Controller, over which secure SSO connections may be passed.
Navigate to Adv. Configuration > SSO - Single Sign On.
Enter / Select the required values in the fields. Refer to the table below for field names and descriptions. (Note: Hover your mouse on the field names for additional information and / or example values.)
Click the Apply button to save the configuration.
To test the SSO connection, click the SSO Connection Test.
After saving this configuration, the web server needs to be restarted to ensure that SSO is being used. To do this, navigate to the Management > Restart > Restart WebServer.
To review logs, click the Show Log button.
| Field | Description |
|---|---|
Enable Premium SSO | Specifies whether or not premium SSO is enabled. |
Your internal AD Domain | Company’s internal active directory domain. You can get this from the LDAP Base DN. It is typically like company.local or company.com |
Computer Account Name | ‘Computer’ account name added to Active Directory Users & Computers. If the ‘computer’ account name added to Active Directory Users and Computers is “CryoserverSSO” then this value will be CryoserverSSO$. Notice the required $ sign at the end. Active Directory adds this automatically when you create the account. |
Computer Account password | Password of the computer account. To download the script to set a password, click the Download Script button in the Premium SSO options page.This will prompt you for the computer account name, and then lets you set a password. Enter that same password here. |
DNS (optional) | IP address of an internal DNS server. SSO service will locate your PDC and any other DC’s via DNS. It will validate a user against any DC that it can contact. If Cryoserver has DNS correctly configured (so domain names resolve in other parts of Cryoserver configuration – like LDAP server names and Outbound Email and Alerts: email server) then leave this blank. |
Site Name (Optional) | Active Directory sites and services site that the web server is in. Note: If your users are in a Forest of Domains, then enter the site name of the local tree of your domain. If your company is a single domain company, then you will not require this. |
LDAP field to match domain | LDAP field that should be matched with the JCIFS obtained domain. |
Last updated