Using SSO together with local accounts

Hi SEM Team!

I would like to use at least the local admin account together with SSO to be on the safe side when something goes wrong with SSO (LDAP/AD/Kerberos server not reachable for example). I do not see any security problems on that. For me it raises operational security because I have a fallback scenario when something is going worng.

Kind regards,

Ralf

Find more posts tagged with

sem

local user

sso

Status: None

Comments

nbucking

I am having an issue where I am getting a prompt from SEM web gui to provide my credentials. I provide credentials (we use both tokens and passwords). It does not fail unless I close the prompt. LDAP works fine.

I have a CA that I signed the ssl Certificate with. The SEM name is sem.domain (This is an offline domain). The sem console has the correct domain and IP configurations.

I was successful in creating a keytab with the following:

\ktpass.exe -princ HTTP/sem.domain -pass *** -mapuser domain\sem -pType KRB5_NT_PRINCIPAL -crypto ALL -Out c:\Keytab\sem.keytab

I also tried to change it to AES256 since the DISA STIG requires atleast AES128. But I still get the issue.

I transported the keytab via the domain sysvol share to the SEM server.

The watchlog (Manager menu in CMC console) shows that there is a Kerberos checksum issue before I even select an account to log in with at the prompt.