Improve Kerberos doc
This commit is contained in:
parent
0e533ddd02
commit
33dac7bc91
|
@ -38,16 +38,24 @@ It is recommended to use NTP to do this.
|
||||||
DNS
|
DNS
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
The auth.example.com must be registered in the DNS server (which is
|
In our experience, we have observed the following limitations when using Kerberos for web applications in an Active Directory environment
|
||||||
Active Directory). The reverse DNS of auth.example.com **must** return
|
|
||||||
the portal IP.
|
|
||||||
|
|
||||||
|
* ``auth.example.com`` must be registered in the DNS server as a ``A`` record. ``CNAME`` usually do not work
|
||||||
|
* The reverse DNS (``PTR``) for ``auth.example.com``'s IP address MUST point back to ``auth.example.com``
|
||||||
|
|
||||||
.. tip::
|
.. tip::
|
||||||
|
|
||||||
If you have a SSO cluster, you must setup a Virtual IP in
|
If you have a SSO cluster, you must setup a Virtual IP in
|
||||||
cluster and register this IP in DNS.
|
cluster and register this IP in DNS.
|
||||||
|
|
||||||
|
.. tip::
|
||||||
|
|
||||||
|
If you cannot configure the PTR record to point to the portal's hostname, it
|
||||||
|
may help to run the following command. Assuming that ``proxy.example.com`` is
|
||||||
|
the PTR record of the portal's IP address ::
|
||||||
|
|
||||||
|
setspn -s HTTP/proxy.example.com keytab-account
|
||||||
|
|
||||||
SSL
|
SSL
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user